SUSE-SU-2026:1037-1

Description

Security update for grafana This update for grafana fixes the following issues: - Security issues fixed: - CVE-2026-21722: Public dashboards annotations: use dashboard timerange if time selection disabled (bsc#1258136) - CVE-2026-21721: Fixed access control by the dashboard permissions API (bsc#1257337) - CVE-2026-21720: Fixed unauthenticated DoS (bsc#1257349) - CVE-2025-68156: Fixed potential DoS via unbounded recursion in builtin functions (bsc#1255340) - CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (bsc#1245302) - Version update from 11.5.10 to 11.6.11 with the following highlighted changes and fixes: - Performance Boost: Introduced WebGL-powered geomaps for smoother map visualizations and removed blurred backgrounds from UI overlays to speed up the interface. - One-Click Actions: Visualizations now support faster navigation via one-click links and actions. - Alerting History: Added version history for alert rules, allowing you to track changes over time. - Service Accounts: Automated the migration of old API keys to more secure Service Accounts upon startup. - Cron Support: Annotations now support Cron syntax for more flexible scheduling. - Identity and Auth: Hardened the Avatar feature (now requires sign-in) and fixed several login redirection issues when Grafana is hosted on a subpath. - Data Source Support: Added support for Cloud Partner Prometheus data sources and improved Azure legend formatting. - Alerting Limits: Added size limits for expanded notification templates to prevent system strain. - RBAC: Integrated Role-Based Access Control (RBAC) into the Alertmanager via the reqAction field. - Data Consistency: Fixed several issues with Graphite and InfluxDB regarding how variables are handled in repeated rows or nested queries. - Dashboard Reliability: Resolved bugs involving row repeats and 'self-referencing' data links. - Alerting Fixes: Patched a critical 'panic' (crash) caused by a race condition in alert rules and fixed issues where contact points weren't working correctly. - URL Handling: Fixed a bug where 'true' values in URL parameters weren't being read correctly

Affected Systems

• opensuse•grafana&distro=openSUSE Leap 15.6

  < 11.6.11-150200.3.83.1

• suse•grafana&distro=SUSE Linux Enterprise Module for Package Hub 15 SP7

  < 11.6.11-150200.3.83.1

References (11)

• https://www.suse.com/support/update/announcement/2026/suse-su-20261037-1/
• https://bugzilla.suse.com/1245302
• https://bugzilla.suse.com/1255340
• https://bugzilla.suse.com/1257337
• https://bugzilla.suse.com/1257349
• https://bugzilla.suse.com/1258136
• https://www.suse.com/security/cve/CVE-2025-3415
• https://www.suse.com/security/cve/CVE-2025-68156
• https://www.suse.com/security/cve/CVE-2026-21720
• https://www.suse.com/security/cve/CVE-2026-21721
• https://www.suse.com/security/cve/CVE-2026-21722