SUSE alert SUSE-SU-2026:1037-1 (grafana)
| From: | OPENSUSE-SECURITY-UPDATES <null@suse.de> | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | SUSE-SU-2026:1037-1: important: Security update for grafana | |
| Date: | Wed, 25 Mar 2026 16:31:01 -0000 | |
| Message-ID: | <177445626138.743.12678513550479534764@1fb0c5c8c07c> | |
| Archive-link: | Article |
# Security update for grafana Announcement ID: SUSE-SU-2026:1037-1 Release Date: 2026-03-25T10:31:13Z Rating: important References: * bsc#1245302 * bsc#1255340 * bsc#1257337 * bsc#1257349 * bsc#1258136 * jsc#MSQA-1045 Cross-References: * CVE-2025-3415 * CVE-2025-68156 * CVE-2026-21720 * CVE-2026-21721 * CVE-2026-21722 CVSS scores: * CVE-2025-3415 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2025-3415 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2025-3415 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2025-68156 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-68156 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-68156 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21720 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21720 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-21721 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-21721 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-21721 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2026-21722 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-21722 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2026-21722 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * SUSE Package Hub 15 15-SP7 An update that solves five vulnerabilities and contains one feature can now be installed. ## Description: This update for grafana fixes the following issues: * Security issues fixed: * CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136) * CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337) * CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349) * CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340) * CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (bsc#1245302) * Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes: * Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and removed blurred backgrounds from UI overlays to speed up the interface. * One-Click Actions: Visualizations now support faster navigation via one- click links and actions. * Alerting History: Added version history for alert rules, allowing you to track changes over time. * Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup. * Cron Support: Annotations now support Cron syntax for more flexible scheduling. * Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues when Grafana is hosted on a subpath. * Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting. * Alerting Limits: Added size limits for expanded notification templates to prevent system strain. * RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field. * Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated rows or nested queries. * Dashboard Reliability: Resolved bugs involving row repeats and "self- referencing" data links. * Alerting Fixes: Patched a critical "panic" (crash) caused by a race condition in alert rules and fixed issues where contact points weren't working correctly. * URL Handling: Fixed a bug where "true" values in URL parameters weren't being read correctly ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2026-1037=1 * SUSE Package Hub 15 15-SP7 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-1037=1 ## Package List: * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * grafana-debuginfo-11.6.11-150200.3.83.1 * grafana-11.6.11-150200.3.83.1 * SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64) * grafana-debuginfo-11.6.11-150200.3.83.1 * grafana-11.6.11-150200.3.83.1 ## References: * https://www.suse.com/security/cve/CVE-2025-3415.html * https://www.suse.com/security/cve/CVE-2025-68156.html * https://www.suse.com/security/cve/CVE-2026-21720.html * https://www.suse.com/security/cve/CVE-2026-21721.html * https://www.suse.com/security/cve/CVE-2026-21722.html * https://bugzilla.suse.com/show_bug.cgi?id=1245302 * https://bugzilla.suse.com/show_bug.cgi?id=1255340 * https://bugzilla.suse.com/show_bug.cgi?id=1257337 * https://bugzilla.suse.com/show_bug.cgi?id=1257349 * https://bugzilla.suse.com/show_bug.cgi?id=1258136 * https://jira.suse.com/browse/MSQA-1045
Attachment: None (type=text/html)
(HTML attachment elided)