-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3793
             grafana security, bug fix, and enhancement update
                             10 November 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           grafana
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
                   Reduced Security               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-34558 CVE-2021-33197 CVE-2021-33195
                   CVE-2021-27358 CVE-2021-3114 

Reference:         ESB-2021.3652
                   ESB-2021.3476
                   ESB-2021.3141
                   ESB-2021.2748

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:4226

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: grafana security, bug fix, and enhancement update
Advisory ID:       RHSA-2021:4226-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:4226
Issue date:        2021-11-09
CVE Names:         CVE-2021-3114 CVE-2021-27358 CVE-2021-33195 
                   CVE-2021-33197 CVE-2021-34558 
=====================================================================

1. Summary:

An update for grafana is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Grafana is an open source, feature rich metrics dashboard and graph editor
for Graphite, InfluxDB & OpenTSDB. 

The following packages have been upgraded to a later upstream version:
grafana (7.5.9). (BZ#1921191)

Security Fix(es):

* golang: crypto/elliptic: incorrect operations on the P-224 curve
(CVE-2021-3114)

* grafana: snapshot feature allow an unauthenticated remote attacker to
trigger a DoS via a remote API call (CVE-2021-27358)

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)

* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.5 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
1921191 - Rebase of Grafana for RHEL 8.5
1941024 - CVE-2021-27358 grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
grafana-7.5.9-4.el8.src.rpm

aarch64:
grafana-7.5.9-4.el8.aarch64.rpm
grafana-debuginfo-7.5.9-4.el8.aarch64.rpm

ppc64le:
grafana-7.5.9-4.el8.ppc64le.rpm
grafana-debuginfo-7.5.9-4.el8.ppc64le.rpm

s390x:
grafana-7.5.9-4.el8.s390x.rpm
grafana-debuginfo-7.5.9-4.el8.s390x.rpm

x86_64:
grafana-7.5.9-4.el8.x86_64.rpm
grafana-debuginfo-7.5.9-4.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3114
https://access.redhat.com/security/cve/CVE-2021-27358
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYYrdrNzjgjWX9erEAQjIBBAApAbs0AowqV5/LUBlo1TZt/0zSycChREp
eDRdiZ3xVBYnmHYSeuZ2f4OwE2CHMuE2bDUShzpJhUDIbzWnaqgGJbEAonf8diGM
dAR9eegyvIMjPoxwEy+BNE74CNzVbBNTq6A6zM1KGxJEo0G+h8zKns4wDae+Hk6K
p4oQofmNbZsRlqsNLLMyhkjqZNEb5+aX/L4C3AkDdT3yD2NztTs6pvQstNbuSL0J
8v3br8wP1ST7JOV7woZO9X+1WupMKwbvnKo03YNIzrSI+ACg9zSZtMICmtE/ZGq7
8KtaDFhap68PRjNQdtl9gfrLSkSQSpv3ZaZWQVmN1p9nowsy/yeiq1+Uh5+TVPYo
7KJcO9M893iZ2Aw5fb5IFdDVXjqgSb99RL1PSK0U6smY8iXpMXHldLjo9FfohyqF
pkqndNxFTOELO4l/gaZ3xBCsKKerq+SGVwISNXZ4FCFdyDG5q1RBl2Qok/4UacVC
Gp6jfSeYJ6zShOfJHxoivFr2tZolcagklTB+3mj/EWN0Jxz1nbKUqsEZTULGvi91
tjWWZhFt576a+fgB733hl0B+eLxkPpTX+WGReWMJEPx3gMGrh6/aBU3DwvlV+8cH
dv4z/MZhsISB3SgK1QuTvv+zzhmU2Y6fiAEr6EVK1PL5MD317SbWYJdmB3nzGvcC
Bvw6vrjMrxA=
=NBaR
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYYtSl+NLKJtyKPYoAQh+xg//adyBQWjNwNelY0zseKVOVQ/HKDhE2XNk
zwp0ztQlA2wgYYo2j5z6YY0S+eT28qHiRUfcc+X/p7akydKaRAeW7yDtNd+Rig7o
51lywPj7gsAnuU+kcnhRk/yPCgw2MAeqlCoE60zvoIt4e35i81nHYbZzI8KXHsGR
hxx+Fw4cLZ9yaCwbzNfBEkmWtIf9x60w05C+d634oQQi+5vcsJAnR1QGsQCLLTMc
5W69wK3q5F/VgdQPNlTEn47R3os6D3O1dn+sNrJzmyZ+0RDjLqd5Mf8MJQGp3LnP
42VZTZAVmrK3vcUrPlfW0Gd01d14NmILCPE0Q7RzuJR2ap3iZU5HdxEeHswg0q7J
kEIQeFcAci6rvrUOveovMNzs34YU6JhCnMoxabeCMVSlqI7u4QwBqWNaJWi2Tyak
kX41dsXen6Q/ZJzQcvYio0RXInDI9upl+T59FfFxJwLgXMTCkrImd8u8AhHparW/
1Dua+NtKu0SM2IyqS3S5osttCHaKmx4f78iY9RY2zE6fopJWByQupLGDreQRkGZ4
fy8rYpI40PLkyps0SopKQ6B3WaBw3vXKcnQyyffao47G7dhGTGjzrluOHDlpRFB9
yQ40jJQdtsBdjrRGkU8ioJBYwynsY1bMAPHRQTSWKXQCFza+6M/sLoTEkE4Mn9FT
mfLNp4hgrAc=
=eGKN
-----END PGP SIGNATURE-----