FreeBSD Bugzilla – Attachment 196709 Details for
Bug 231022
www/grafana2: Add VuXML entry for CVE-2018-558213
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
vuxml-grafana2.patch
vuxml-grafana2.patch (text/plain), 1.83 KB, created by
Dmitri Goutnik
on 2018-08-30 13:32:31 UTC
(
hide
)
Description:
vuxml-grafana2.patch
Filename:
MIME Type:
Creator:
Dmitri Goutnik
Created:
2018-08-30 13:32:31 UTC
Size:
1.83 KB
patch
obsolete
>Index: security/vuxml/vuln.xml >=================================================================== >--- security/vuxml/vuln.xml (revision 478425) >+++ security/vuxml/vuln.xml (working copy) >@@ -58,6 +58,41 @@ > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="ca60a0ce-ac57-11e8-9cb6-10c37b4ac2ea"> >+ <topic>grafana2 -- LDAP and OAuth login vulnerability</topic> >+ <affects> >+ <package> >+ <name>grafana2</name> >+ <range><ge>2.0.0</ge></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Grafana Labs reports:</p> >+ <blockquote cite="https://community.grafana.com/t/grafana-5-2-3-and-4-6-4-security-update/10050"> >+ <p>On the 20th of August at 1800 CEST we were contacted about a >+ potential security issue with the âremember meâ cookie Grafana >+ sets upon login. The issue targeted users without a local Grafana >+ password (LDAP & OAuth users) and enabled a potential attacker >+ to generate a valid cookie knowing only a username.</p> >+ <p>All installations which use the Grafana LDAP or OAuth >+ authentication features must be upgraded as soon as possible. If >+ you cannot upgrade, you should switch authentication mechanisms >+ or put additional protections in front of Grafana such as a >+ reverse proxy.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>https://community.grafana.com/t/grafana-5-2-3-and-4-6-4-security-update/10050</url> >+ <cvename>CVE-2018-558213</cvename> >+ </references> >+ <dates> >+ <discovery>2018-08-20</discovery> >+ <entry>2018-08-30</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="0904e81f-a89d-11e8-afbb-bc5ff4f77b71"> > <topic>node.js -- multiple vulnerabilities</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=196709">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dmgk
:
maintainer-approval?
Actions:
View
|
Diff
Attachments on
bug 231022
: 196709