Date: Fri, 31 Aug 2018 23:47:50 +0000 (UTC) From: Steve Wills <swills@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r478626 - head/security/vuxml Message-ID: <201808312347.w7VNlo5f021795@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: swills Date: Fri Aug 31 23:47:50 2018 New Revision: 478626 URL: https://svnweb.freebsd.org/changeset/ports/478626 Log: Document grafana issues PR: 231019 PR: 231020 PR: 231021 PR: 231022 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Aug 31 23:44:08 2018 (r478625) +++ head/security/vuxml/vuln.xml Fri Aug 31 23:47:50 2018 (r478626) @@ -58,6 +58,53 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="1f8d5806-ac51-11e8-9cb6-10c37b4ac2ea"> + <topic>grafana -- LDAP and OAuth login vulnerability</topic> + <affects> + <package> + <name>grafana5</name> + <range><ge>5.0.0</ge><lt>5.2.3</lt></range> + </package> + <package> + <name>grafana4</name> + <range><ge>4.0.0</ge><lt>4.6.4</lt></range> + </package> + <package> + <name>grafana3</name> + <range><ge>3.0.0</ge></range> + </package> + <package> + <name>grafana2</name> + <range><ge>2.0.0</ge></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Grafana Labs reports:</p> + <blockquote cite="https://community.grafana.com/t/grafana-5-2-3-and-4-6-4-security-update/10050">; + <p>On the 20th of August at 1800 CEST we were contacted about a + potential security issue with the “remember me” cookie Grafana + sets upon login. The issue targeted users without a local Grafana + password (LDAP & OAuth users) and enabled a potential attacker + to generate a valid cookie knowing only a username.</p> + <p>All installations which use the Grafana LDAP or OAuth + authentication features must be upgraded as soon as possible. If + you cannot upgrade, you should switch authentication mechanisms + or put additional protections in front of Grafana such as a + reverse proxy.</p> + </blockquote> + </body> + </description> + <references> + <url>https://community.grafana.com/t/grafana-5-2-3-and-4-6-4-security-update/10050</url>; + <cvename>CVE-2018-558213</cvename> + </references> + <dates> + <discovery>2018-08-20</discovery> + <entry>2018-08-31</entry> + </dates> + </vuln> + <vuln vid="ffeb25d0-ac94-11e8-ab15-d8cb8abf62dd"> <topic>Gitlab -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808312347.w7VNlo5f021795>