From b1e2811077b384466e6308096abb9572c4ab440c Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Thu, 2 Apr 2026 11:33:19 -0700 Subject: [PATCH] =?UTF-8?q?Upgrade=20Grafana=2012.3.3=20=E2=86=92=2012.4.2?= =?UTF-8?q?=20(#322)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Bumps Grafana from 12.3.3 to 12.4.2 - Patches 7 CVEs, notably CVE-2026-27880 (unauthenticated OOM DoS, CVSS 7.5) and CVE-2026-27879 (authenticated OOM via resample queries) - No config changes required — reviewed alerting, datasources, OIDC, and feature toggles against 12.4.x breaking changes ## Breaking changes reviewed | Change | Impact | |--------|--------| | Alerting: pending period applies to NoData/Error | Net positive — reduces noise from transient blips | | Default notification uses empty receiver | No impact — we explicitly set `ntfy-infra` | | Removed feature toggles (4) | No impact — none configured | | OAuth ID token signature validation | Low risk — verify OIDC login post-deploy | | OpsGenie deprecated | No impact — using webhook | ## Test plan - [ ] Container build completes at forge - [ ] Update kustomization.yaml with new image tag - [ ] `argocd app set grafana --revision upgrade/grafana-12.4.2 && argocd app sync grafana` - [ ] Verify Grafana UI loads at grafana.ops.eblu.me - [ ] Verify OIDC login via Authentik - [ ] Verify dashboards and datasources load - [ ] Check alerting rules are intact 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/322 --- argocd/manifests/grafana/kustomization.yaml | 2 +- containers/grafana/Dockerfile | 2 +- docs/changelog.d/upgrade-grafana-12.4.2.infra.md | 1 + service-versions.yaml | 4 ++-- 4 files changed, 5 insertions(+), 4 deletions(-) create mode 100644 docs/changelog.d/upgrade-grafana-12.4.2.infra.md diff --git a/argocd/manifests/grafana/kustomization.yaml b/argocd/manifests/grafana/kustomization.yaml index 3aeaa26..4fe53a9 100644 --- a/argocd/manifests/grafana/kustomization.yaml +++ b/argocd/manifests/grafana/kustomization.yaml @@ -18,7 +18,7 @@ images: - name: registry.ops.eblu.me/blumeops/grafana-sidecar newTag: v1.28.0-613f05d - name: registry.ops.eblu.me/blumeops/grafana - newTag: v12.3.3-613f05d + newTag: v12.4.2-4c54774 configMapGenerator: - name: grafana diff --git a/containers/grafana/Dockerfile b/containers/grafana/Dockerfile index 3d5b12b..3b33dd9 100644 --- a/containers/grafana/Dockerfile +++ b/containers/grafana/Dockerfile @@ -1,4 +1,4 @@ -ARG CONTAINER_APP_VERSION=12.3.3 +ARG CONTAINER_APP_VERSION=12.4.2 FROM alpine:3.22 diff --git a/docs/changelog.d/upgrade-grafana-12.4.2.infra.md b/docs/changelog.d/upgrade-grafana-12.4.2.infra.md new file mode 100644 index 0000000..11bba26 --- /dev/null +++ b/docs/changelog.d/upgrade-grafana-12.4.2.infra.md @@ -0,0 +1 @@ +Upgrade Grafana from 12.3.3 to 12.4.2 — patches 7 CVEs including an unauthenticated DoS (CVE-2026-27880). diff --git a/service-versions.yaml b/service-versions.yaml index b8441c0..2a568b4 100644 --- a/service-versions.yaml +++ b/service-versions.yaml @@ -97,8 +97,8 @@ services: - name: grafana type: argocd - last-reviewed: 2026-02-23 - current-version: "12.3.3" + last-reviewed: 2026-04-02 + current-version: "12.4.2" upstream-source: https://github.com/grafana/grafana/releases notes: Home-built container from Alpine; upgraded from Helm to Kustomize