- Fix CVE-2023-3128(Patch was taken from grafana github sources and backported for 9.0.9)
This commit is contained in:
parent
d57c8e97e9
commit
0ee7429587
|
|
@ -0,0 +1,19 @@
|
|||
From 3236aa416f6d1b109bff1fdd4127292988fb199c Mon Sep 17 00:00:00 2001
|
||||
From: Stan Cox <scox@redhat.com>
|
||||
Date: Wed, 22 Jun 2022 17:05:48 +0200
|
||||
Subject: [PATCH] fix alert test
|
||||
|
||||
|
||||
diff --git a/pkg/tests/api/alerting/api_alertmanager_test.go b/pkg/tests/api/alerting/api_alertmanager_test.go
|
||||
index 2d6e1235b6..f0eff6d2ac 100644
|
||||
--- a/pkg/tests/api/alerting/api_alertmanager_test.go 2023-01-24 14:44:19.000000000 -0500
|
||||
+++ b/pkg/tests/api/alerting/api_alertmanager_test.go 2023-04-13 16:20:51.718515009 -0400
|
||||
@@ -210,7 +210,7 @@
|
||||
{
|
||||
"comment": "string",
|
||||
"createdBy": "string",
|
||||
- "endsAt": "2023-03-31T14:17:04.419Z",
|
||||
+ "endsAt": "2032-03-31T14:17:04.419Z",
|
||||
"matchers": [
|
||||
{
|
||||
"isRegex": true,
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
From 150a1d2777ea86253e6f800a2ee6273b92295ed9 Mon Sep 17 00:00:00 2001
|
||||
From: eabdullin <ed.abdullin.1@gmail.com>
|
||||
Date: Wed, 12 Jul 2023 15:31:00 +0300
|
||||
Subject: [PATCH] CVE-2023-3128
|
||||
|
||||
---
|
||||
pkg/api/login_oauth.go | 17 +++++++++--------
|
||||
pkg/setting/setting.go | 5 ++++-
|
||||
2 files changed, 13 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
|
||||
index b422baf..f124252 100644
|
||||
--- a/pkg/api/login_oauth.go
|
||||
+++ b/pkg/api/login_oauth.go
|
||||
@@ -299,16 +299,17 @@ func (hs *HTTPServer) SyncUser(
|
||||
connect social.SocialConnector,
|
||||
) (*models.User, error) {
|
||||
oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile")
|
||||
+ lookupParams := models.UserLookupParams{}
|
||||
+ if hs.Cfg.OAuthAllowInsecureEmailLookup {
|
||||
+ lookupParams.Email = &extUser.Email
|
||||
+ }
|
||||
+
|
||||
// add/update user in Grafana
|
||||
cmd := &models.UpsertUserCommand{
|
||||
- ReqContext: ctx,
|
||||
- ExternalUser: extUser,
|
||||
- SignupAllowed: connect.IsSignupAllowed(),
|
||||
- UserLookupParams: models.UserLookupParams{
|
||||
- Email: &extUser.Email,
|
||||
- UserID: nil,
|
||||
- Login: nil,
|
||||
- },
|
||||
+ ReqContext: ctx,
|
||||
+ ExternalUser: extUser,
|
||||
+ SignupAllowed: connect.IsSignupAllowed(),
|
||||
+ UserLookupParams: lookupParams,
|
||||
}
|
||||
|
||||
if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil {
|
||||
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
|
||||
index ba2c4bb..6b5c948 100644
|
||||
--- a/pkg/setting/setting.go
|
||||
+++ b/pkg/setting/setting.go
|
||||
@@ -312,7 +312,8 @@ type Cfg struct {
|
||||
AuthProxySyncTTL int
|
||||
|
||||
// OAuth
|
||||
- OAuthCookieMaxAge int
|
||||
+ OAuthCookieMaxAge int
|
||||
+ OAuthAllowInsecureEmailLookup bool
|
||||
|
||||
// JWT Auth
|
||||
JWTAuthEnabled bool
|
||||
@@ -1255,6 +1256,8 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
|
||||
return err
|
||||
}
|
||||
|
||||
+ cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false)
|
||||
+
|
||||
const defaultMaxLifetime = "30d"
|
||||
maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime)
|
||||
cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)
|
||||
|
|
@ -23,7 +23,7 @@ end}
|
|||
|
||||
Name: grafana
|
||||
Version: 9.0.9
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}.alma
|
||||
Summary: Metrics dashboard and graph editor
|
||||
License: AGPLv3
|
||||
URL: https://grafana.org
|
||||
|
|
@ -71,6 +71,12 @@ Patch7: 0007-skip-marketplace-plugin-install-test.patch
|
|||
Patch8: 0008-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch
|
||||
Patch9: 0009-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch
|
||||
Patch10: 0010-v9.0.x-Login-email-before-username-57406.patch
|
||||
# https://gitlab.com/redhat/centos-stream/rpms/grafana/-/blob/3731c12a8956d50514a58d9aa2f2d330d4ee32b6/0007-fix-alert-test.patch
|
||||
Patch11: 0011-fix-alert-test.patch
|
||||
# Patch was taken from grafana github sources and backported for 9.0.9
|
||||
# git diff v9.2.19 v9.2.20 -- pkg/
|
||||
Patch12: 0012-CVE-2023-3128.patch
|
||||
|
||||
|
||||
# Patches affecting the vendor tarball
|
||||
Patch1001: 1001-vendor-patch-removed-backend-crypto.patch
|
||||
|
|
@ -708,6 +714,8 @@ rm -r plugins-bundled
|
|||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
|
||||
%patch1001 -p1
|
||||
%if %{enable_fips_mode}
|
||||
|
|
@ -899,6 +907,9 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio
|
|||
|
||||
|
||||
%changelog
|
||||
* Wed Jul 12 2023 Eduard Abdullin <eabdullin@almalinux.org> 9.0.9-3
|
||||
- Fix CVE-2023-3128(Patch was taken from grafana github sources and backported for 9.0.9)
|
||||
|
||||
* Tue Nov 01 2022 Stan Cox <scox@redhat.com> 9.0.9-2
|
||||
- resolve CVE-2022-39229 grafana: Using email as a username can prevent other users from signing in
|
||||
- resolve CVE-2022-2880 CVE-2022-41715 grafana: various flaws
|
||||
|
|
|
|||
Loading…
Reference in New Issue