diff --git a/docker/grafana/Dockerfile b/docker/grafana/Dockerfile index 81f4cc0fd1..78a24b637d 100644 --- a/docker/grafana/Dockerfile +++ b/docker/grafana/Dockerfile @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM docker.io/grafana/grafana:7.4.1-ubuntu +FROM docker.io/grafana/grafana:7.4.2-ubuntu LABEL maintainer="infra-root@openstack.org" diff --git a/playbooks/roles/grafana/templates/grafana.vhost.j2 b/playbooks/roles/grafana/templates/grafana.vhost.j2 index afddd47487..07a5caf3ce 100644 --- a/playbooks/roles/grafana/templates/grafana.vhost.j2 +++ b/playbooks/roles/grafana/templates/grafana.vhost.j2 @@ -34,6 +34,13 @@ SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer + # NOTE(ianw) 2021-02-19 + # This was for a security issue fixed in 7.4.2 + # where anonymous users could cause a write to disk, fixed + # with + # https://github.com/grafana/grafana/pull/31263/ + # We leave it because we don't use the API, but if we need + # it, we can remove this. RewriteEngine on RewriteRule "^/api/snapshots(.*?)$" "-" [F]