svn commit: r478626 - head/security/vuxml
Steve Wills
swills at FreeBSD.org
Fri Aug 31 23:47:51 UTC 2018
Author: swills
Date: Fri Aug 31 23:47:50 2018
New Revision: 478626
URL: https://svnweb.freebsd.org/changeset/ports/478626
Log:
Document grafana issues
PR: 231019
PR: 231020
PR: 231021
PR: 231022
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Fri Aug 31 23:44:08 2018 (r478625)
+++ head/security/vuxml/vuln.xml Fri Aug 31 23:47:50 2018 (r478626)
@@ -58,6 +58,53 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="1f8d5806-ac51-11e8-9cb6-10c37b4ac2ea">
+ <topic>grafana -- LDAP and OAuth login vulnerability</topic>
+ <affects>
+ <package>
+ <name>grafana5</name>
+ <range><ge>5.0.0</ge><lt>5.2.3</lt></range>
+ </package>
+ <package>
+ <name>grafana4</name>
+ <range><ge>4.0.0</ge><lt>4.6.4</lt></range>
+ </package>
+ <package>
+ <name>grafana3</name>
+ <range><ge>3.0.0</ge></range>
+ </package>
+ <package>
+ <name>grafana2</name>
+ <range><ge>2.0.0</ge></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Grafana Labs reports:</p>
+ <blockquote cite="https://community.grafana.com/t/grafana-5-2-3-and-4-6-4-security-update/10050">
+ <p>On the 20th of August at 1800 CEST we were contacted about a
+ potential security issue with the “remember me” cookie Grafana
+ sets upon login. The issue targeted users without a local Grafana
+ password (LDAP & OAuth users) and enabled a potential attacker
+ to generate a valid cookie knowing only a username.</p>
+ <p>All installations which use the Grafana LDAP or OAuth
+ authentication features must be upgraded as soon as possible. If
+ you cannot upgrade, you should switch authentication mechanisms
+ or put additional protections in front of Grafana such as a
+ reverse proxy.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://community.grafana.com/t/grafana-5-2-3-and-4-6-4-security-update/10050</url>
+ <cvename>CVE-2018-558213</cvename>
+ </references>
+ <dates>
+ <discovery>2018-08-20</discovery>
+ <entry>2018-08-31</entry>
+ </dates>
+ </vuln>
+
<vuln vid="ffeb25d0-ac94-11e8-ab15-d8cb8abf62dd">
<topic>Gitlab -- multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-all
mailing list