Resolves: RHEL-183733
This commit is contained in:
parent
7224b3c36d
commit
adc51659ad
2
.gitignore
vendored
2
.gitignore
vendored
@ -9,3 +9,5 @@ SOURCES/grafana-pcp-webpack-3.2.0-1.tar.gz
|
||||
/grafana-pcp-vendor-5.1.1-1.tar.xz
|
||||
/grafana-pcp-webpack-5.1.1-8.tar.gz
|
||||
/grafana-pcp-vendor-5.1.1-8.tar.xz
|
||||
/grafana-pcp-vendor-5.1.1-15.tar.xz
|
||||
/grafana-pcp-webpack-5.1.1-15.tar.gz
|
||||
|
||||
102
0003-fix-x-net-CVE.patch
Normal file
102
0003-fix-x-net-CVE.patch
Normal file
@ -0,0 +1,102 @@
|
||||
diff --git a/go.mod b/go.mod
|
||||
index f33185f..0cae301 100644
|
||||
--- a/go.mod
|
||||
+++ b/go.mod
|
||||
@@ -1,6 +1,6 @@
|
||||
module github.com/performancecopilot/grafana-pcp
|
||||
|
||||
-go 1.17
|
||||
+go 1.25.0
|
||||
|
||||
require (
|
||||
github.com/grafana/grafana-plugin-sdk-go v0.141.0
|
||||
@@ -54,9 +54,9 @@ require (
|
||||
github.com/prometheus/common v0.37.0 // indirect
|
||||
github.com/prometheus/procfs v0.8.0 // indirect
|
||||
github.com/rivo/uniseg v0.4.2 // indirect
|
||||
- golang.org/x/net v0.0.0-20220926192436-02166a98028e // indirect
|
||||
- golang.org/x/sys v0.1.0 // indirect
|
||||
- golang.org/x/text v0.3.7 // indirect
|
||||
+ golang.org/x/net v0.55.0 // indirect
|
||||
+ golang.org/x/sys v0.45.0 // indirect
|
||||
+ golang.org/x/text v0.37.0 // indirect
|
||||
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
|
||||
google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce // indirect
|
||||
google.golang.org/grpc v1.49.0 // indirect
|
||||
diff --git a/go.sum b/go.sum
|
||||
index 1e351cc..c0d0d4b 100644
|
||||
--- a/go.sum
|
||||
+++ b/go.sum
|
||||
@@ -70,6 +70,7 @@ github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819 h1:RIB4cRk+lBqKK3O
|
||||
github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
|
||||
github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
|
||||
github.com/elazarl/goproxy/ext v0.0.0-20220115173737-adb46da277ac h1:9yrT5tmn9Zc0ytWPASlaPwQfQMQYnRf0RSDe1XvHw0Q=
|
||||
+github.com/elazarl/goproxy/ext v0.0.0-20220115173737-adb46da277ac/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
|
||||
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
|
||||
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
|
||||
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
|
||||
@@ -195,6 +196,7 @@ github.com/invopop/yaml v0.1.0/go.mod h1:2XuRLgs/ouIrW3XNzuNj7J3Nvu/Dig5MXvbCEdi
|
||||
github.com/invopop/yaml v0.2.0 h1:7zky/qH+O0DwAyoobXUqvVBwgBFRxKoQ/3FjcVpjTMY=
|
||||
github.com/invopop/yaml v0.2.0/go.mod h1:2XuRLgs/ouIrW3XNzuNj7J3Nvu/Dig5MXvbCEdiBN3Q=
|
||||
github.com/jhump/protoreflect v1.6.0 h1:h5jfMVslIg6l29nsMs0D8Wj17RDVdNYti0vDN/PZZoE=
|
||||
+github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74=
|
||||
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
|
||||
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
|
||||
github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
|
||||
@@ -222,6 +224,7 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
|
||||
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
|
||||
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
|
||||
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
|
||||
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
|
||||
github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo=
|
||||
github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
|
||||
github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
|
||||
@@ -247,6 +250,7 @@ github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfr
|
||||
github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
|
||||
github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
|
||||
github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
|
||||
+github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
|
||||
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
|
||||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
|
||||
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
|
||||
@@ -418,8 +422,8 @@ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qx
|
||||
golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
||||
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
|
||||
golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
|
||||
-golang.org/x/net v0.0.0-20220926192436-02166a98028e h1:I51lVG9ykW5AQeTE50sJ0+gJCAF0J78Hf1+1VUCGxDI=
|
||||
-golang.org/x/net v0.0.0-20220926192436-02166a98028e/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
|
||||
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
|
||||
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
|
||||
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
|
||||
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
@@ -485,8 +489,8 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
|
||||
golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
|
||||
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
|
||||
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
@@ -496,8 +500,9 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
|
||||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
|
||||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
||||
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
|
||||
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
|
||||
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
|
||||
@@ -654,6 +659,7 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
|
||||
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
|
||||
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
|
||||
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
@ -19,6 +19,9 @@ tar xf "${SOURCE_TAR}"
|
||||
## Create vendor bundle
|
||||
pushd "${SOURCE_DIR}"
|
||||
|
||||
# Apply x/net CVE fix before vendoring
|
||||
patch -p1 --fuzz=0 < ../0003-fix-x-net-CVE.patch
|
||||
|
||||
# Vendor Go dependencies
|
||||
go mod vendor
|
||||
|
||||
@ -31,7 +34,7 @@ patch -p1 --fuzz=0 < ../0002-add-uwsgi-dashboard.patch
|
||||
|
||||
# Vendor Node.js dependencies
|
||||
patch -p1 --fuzz=0 < ../0001-remove-unused-frontend-crypto.patch
|
||||
yarn install --frozen-lockfile
|
||||
yarn install --frozen-lockfile --ignore-engines
|
||||
|
||||
# Remove files with licensing issues
|
||||
find . -type d -name 'node-notifier' -prune -exec rm -r {} \;
|
||||
|
||||
@ -6,10 +6,10 @@
|
||||
#
|
||||
|
||||
cat <<EOF | podman build -t grafana-pcp-build -f - .
|
||||
FROM fedora:36
|
||||
FROM fedora:44
|
||||
|
||||
RUN dnf upgrade -y && \
|
||||
dnf install -y rpmdevtools python3-packaging make golang nodejs yarnpkg golang-github-jsonnet-bundler golang-github-google-jsonnet
|
||||
dnf install -y rpmdevtools python3-packaging make golang nodejs yarnpkg golang-github-jsonnet-bundler jsonnet
|
||||
|
||||
WORKDIR /tmp/grafana-pcp-build
|
||||
COPY grafana-pcp.spec create_bundles.sh build_frontend.sh list_bundled_nodejs_packages.py *.patch .
|
||||
|
||||
@ -16,20 +16,20 @@ end}
|
||||
|
||||
Name: grafana-pcp
|
||||
Version: 5.1.1
|
||||
Release: 14%{?dist}
|
||||
Release: 15%{?dist}
|
||||
Summary: Performance Co-Pilot Grafana Plugin
|
||||
License: ASL 2.0
|
||||
URL: https://github.com/performancecopilot/grafana-pcp
|
||||
|
||||
Source0: https://github.com/performancecopilot/grafana-pcp/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
Source1: grafana-pcp-vendor-%{version}-8.tar.xz
|
||||
Source1: grafana-pcp-vendor-%{version}-15.tar.xz
|
||||
# Note: In case there were no changes to this tarball, the NVR of this tarball
|
||||
# lags behind the NVR of this package.
|
||||
%if %{compile_frontend} == 0
|
||||
# Source2 contains the precompiled frontend and dashboards
|
||||
# Note: In case there were no changes to this tarball, the NVR of this tarball
|
||||
# lags behind the NVR of this package.
|
||||
Source2: grafana-pcp-webpack-%{version}-8.tar.gz
|
||||
Source2: grafana-pcp-webpack-%{version}-15.tar.gz
|
||||
%endif
|
||||
Source3: create_bundles.sh
|
||||
Source4: build_frontend.sh
|
||||
@ -38,6 +38,7 @@ Source6: create_bundles_in_container.sh
|
||||
|
||||
Patch1: 0001-remove-unused-frontend-crypto.patch
|
||||
Patch2: 0002-add-uwsgi-dashboard.patch
|
||||
Patch3: 0003-fix-x-net-CVE.patch
|
||||
|
||||
# Intersection of go_arches and nodejs_arches
|
||||
ExclusiveArch: %{grafanapcp_arches}
|
||||
@ -136,6 +137,7 @@ bpftrace scripts from pmdabpftrace(1), as well as several dashboards.
|
||||
|
||||
%patch -P 1 -p1
|
||||
%patch -P 2 -p1
|
||||
%patch -P 3 -p1
|
||||
|
||||
%build
|
||||
# Build frontend data sources
|
||||
@ -194,6 +196,9 @@ yarn test
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Jun 23 2026 Sam Feifer <sfeifer@redhat.com> - 5.1.1-15
|
||||
- Resolves RHEL-183733: CVE-2026-39821
|
||||
|
||||
* Wed Apr 22 2026 Sam Feifer <sfeifer@redhat.com> - 5.1.1-14
|
||||
- Resolves RHEL-166520: CVE-2026-32282
|
||||
- Resolves RHEL-167381: CVE-2026-32280
|
||||
|
||||
4
sources
4
sources
@ -1,3 +1,3 @@
|
||||
SHA512 (grafana-pcp-5.1.1.tar.gz) = 697dfbe1e5cd5d66080197dab2798af0965747a4460d15e62c3497f64674bcc77fc776ac5c95cb7043dcf534e8e0eae47afd7500a5851a0d35ad1062e8d4ac2e
|
||||
SHA512 (grafana-pcp-webpack-5.1.1-8.tar.gz) = 77e9e6f306425983808f414662cbb2db9077e7c9fcca36a33033e56b527b339d40415df54fb63465ddd701861f89da19b7f1524eb5aa05c1425f3870e017d467
|
||||
SHA512 (grafana-pcp-vendor-5.1.1-8.tar.xz) = 239eab5405d42769c8f77f408de06588c299ee0df7ea22c5509a32274380670dad560279cff27ebf2b1814bf293dda27c772989b3f6a0777c591397a07583f04
|
||||
SHA512 (grafana-pcp-vendor-5.1.1-15.tar.xz) = e18ab64766aa44799182992d4dfab219550fff503922d89a6aefbc9b753d5e023c528e3d67ad3c9105db595ebb597db6dd8302cacbb09e7c95468c6f4eee3442
|
||||
SHA512 (grafana-pcp-webpack-5.1.1-15.tar.gz) = d499f0519e049f62ce6878ea4d53fbf37890822b8e3c4589f2014eb62f4cd739b57c9dd7e2c3ef3ea596a118582beea98b1f8d979bc280576b5eb1fa7fa3202e
|
||||
|
||||
Loading…
Reference in New Issue
Block a user