rpms/grafana
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import grafana-6.3.6-2.el8_2

Browse Source
This commit is contained in:
CentOS Sources 2020-06-22 02:51:42 -04:00 committed by Andrew Lukoshko
parent e2f674e9e5
commit 1a1a0cb69f
2 changed files with 48 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
SOURCES/006-CVE-2020-13379.patch Normal file
View File

@ -0,0 +1,39 @@
diff --git a/pkg/api/avatar/avatar.go b/pkg/api/avatar/avatar.go
--- a/pkg/api/avatar/avatar.go
+++ b/pkg/api/avatar/avatar.go
@@ -17,14 +17,15 @@ import (
"net/http"
"net/url"
"path/filepath"
+ "regexp"
"strconv"
"strings"
"sync"
"time"
"github.com/grafana/grafana/pkg/infra/log"
+ "github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/setting"
- "gopkg.in/macaron.v1"
gocache "github.com/patrickmn/go-cache"
)
@@ -97,9 +98,15 @@ type CacheServer struct {
cache *gocache.Cache
}
-func (this *CacheServer) Handler(ctx *macaron.Context) {
- urlPath := ctx.Req.URL.Path
- hash := urlPath[strings.LastIndex(urlPath, "/")+1:]
+var validMD5 = regexp.MustCompile("^[a-fA-F0-9]{32}$")
+
+func (this *CacheServer) Handler(ctx *models.ReqContext) {
+ hash := ctx.Params("hash")
+
+ if len(hash) != 32 || !validMD5.MatchString(hash) {
+ ctx.JsonApiErr(404, "Avatar not found", nil)
+ return
+ }
var avatar *Avatar

11
SPECS/grafana.spec
View File

@ -22,7 +22,7 @@ end}
Name: grafana Name: grafana
Version: 6.3.6 Version: 6.3.6
Release: 1%{?dist} Release: 2%{?dist}
Summary: Metrics dashboard and graph editor Summary: Metrics dashboard and graph editor
License: ASL 2.0 License: ASL 2.0
URL: https://grafana.org URL: https://grafana.org
@ -43,6 +43,9 @@ Patch3: 003-new-files.patch
Patch4: 004-xerrors.patch Patch4: 004-xerrors.patch
Patch5: 005-mute-shellcheck-grafana-cli.patch Patch5: 005-mute-shellcheck-grafana-cli.patch
# Patch for CVE-2020-13379
Patch6: 006-CVE-2020-13379.patch
# Intersection of go_arches and nodejs_arches # Intersection of go_arches and nodejs_arches
ExclusiveArch: %{grafana_arches} ExclusiveArch: %{grafana_arches}
@ -409,6 +412,7 @@ The Grafana stackdriver datasource.
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1
# Set up build subdirs and links # Set up build subdirs and links
mkdir -p %{_builddir}/src/github.com/grafana mkdir -p %{_builddir}/src/github.com/grafana
@ -440,13 +444,13 @@ cd %{_builddir}/src/github.com/grafana/grafana
echo _builddir=%{_builddir} archbindir=%{archbindir} echo _builddir=%{_builddir} archbindir=%{archbindir}
[ ! -d %{archbindir} ] && mkdir -p %{archbindir} [ ! -d %{archbindir} ] && mkdir -p %{archbindir}
export GOPATH=%{_builddir}:%{gopath} export GOPATH=%{_builddir}:%{gopath}
# export GO111MODULE=off
%if 0%{?fedora} >= 31 %if 0%{?fedora} >= 31
# native fedora golang build but without modules (no grafana support yet) # native fedora golang build but without modules (no grafana support yet)
go build -mod=vendor -o %{archbindir}/grafana-cli ./pkg/cmd/grafana-cli go build -mod=vendor -o %{archbindir}/grafana-cli ./pkg/cmd/grafana-cli
go build -mod=vendor -o %{archbindir}/grafana-server ./pkg/cmd/grafana-server go build -mod=vendor -o %{archbindir}/grafana-server ./pkg/cmd/grafana-server
%else %else
# use the grafana build.go script. # use the grafana build.go script.
export GO111MODULE=off
go run build.go build go run build.go build
%endif %endif
@ -633,6 +637,9 @@ go test ./pkg/...
%changelog %changelog
* Wed Jun 17 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.3.6-2
- fix CVE-2020-13379
* Wed Nov 20 2019 Mark Goodwin <mgoodwin@redhat.com> 6.3.6-1 * Wed Nov 20 2019 Mark Goodwin <mgoodwin@redhat.com> 6.3.6-1
- add weak depenency on grafana-pcp - add weak depenency on grafana-pcp
- add patch to mute shellcheck SC1090 for grafana-cli - add patch to mute shellcheck SC1090 for grafana-cli