SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-623

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-623

Security update for grafana

Type: security

Severity: important

Issued: 2025-02-21

Description:

This update for grafana fixes the following issues:

grafana was updated from version 10.4.13 to 10.4.15:

- Security issues fixed:
    * CVE-2024-45339: Fixed vulnerability when creating log files (bsc#1236559)
    * CVE-2024-11741: Fixed the Grafana Alerting VictorOps integration (bsc#1236734)
    * CVE-2025-21613: Removed vulnerable library github.com/go-git/go-git/v5 (bsc#1235574)
    * CVE-2024-28180: Fixed improper handling of highly compressed data (bsc#1235206)
- Other bugs fixed and changes:
    * Alerting: Do not fetch Orgs if the user is authenticated by apikey/sa or render key
    * Added provisioning directories
    * Use /bin/bash in wrapper scripts

References

CVE: CVE-2025-21613
CVE: CVE-2024-45339
CVE: CVE-2024-28180
CVE: CVE-2024-11741
Bugzilla: 1236734 VUL-0: CVE-2024-11741: grafana: Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission
Bugzilla: 1236559 VUL-0: CVE-2024-45339: grafana: github.com/golang/glog: Vulnerability when creating log files in github.com/golang/glog
Bugzilla: 1235574 VUL-0: CVE-2025-21613: grafana: github.com/go-git/go-git/v5: argument injection via the URL field
Bugzilla: 1235206 VUL-0: CVE-2024-28180: grafana: github.com/go-jose/go-jose/v3: improper handling of highly compressed data

Packages

grafana-10.4.15-150200.3.64.1