[Git][security-tracker-team/security-tracker][master] auto-nfu: Add rule for Grafana

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Jun 24 19:38:58 BST 2026



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
693cbad1 by Moritz Muehlenhoff at 2026-06-24T20:37:42+02:00
auto-nfu: Add rule for Grafana

src:grafana was never part of a stable release and has been removed for
eight years now.

- - - - -


2 changed files:

- data/CVE/list
- data/packages/nfu.yaml


Changes:

=====================================
data/CVE/list
=====================================
@@ -1401,7 +1401,7 @@ CVE-2026-44913 (Improper escaping of database table names in the CaptureChangeMy
 CVE-2026-44911 (Authorization handling for component configuration verification reques ...)
 	NOT-FOR-US: Apache software not packaged in Debian
 CVE-2026-42129 (The Loki datasource plugin's callResource handler contains a path trav ...)
-	TODO: check
+	NOT-FOR-US: Grafana Labs
 CVE-2026-42127 (The public dashboard query endpoint does not limit request body size b ...)
 	TODO: check
 CVE-2026-41049 (Incorrect caching of authentication between different users of the qSn ...)
@@ -1458,7 +1458,7 @@ CVE-2026-10845 (IBM WebSphere Application Server 8.5 and 9.0could allow a remote
 CVE-2026-10789 (A maliciously crafted webpage, when visited by a user with Autodesk Fu ...)
 	NOT-FOR-US: Autodesk
 CVE-2026-10601 (The Tempo and Loki datasource plugins construct backend HTTP requests  ...)
-	TODO: check
+	NOT-FOR-US: Grafana Labs
 CVE-2026-10561 (IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an im ...)
 	NOT-FOR-US: IBM
 CVE-2025-66389 (GitHub Copilot 1.372.0 allows filesystem access outside of a workspace ...)


=====================================
data/packages/nfu.yaml
=====================================
@@ -491,6 +491,11 @@
     - cna: Google
     - anyOf:
       - product: Gemini
+- reason: Grafana Labs
+  allOf:
+    - cna: GRAFANA
+    - anyOf:
+      - product: Grafana OSS
 - reason: Hashicorp products not packaged in Debian
   allOf:
     - cna: HashiCorp



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/693cbad1f22e3a561761da0f0854c484e44ac4f0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/693cbad1f22e3a561761da0f0854c484e44ac4f0
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260624/6ae9e39f/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list