diff --git a/.gitignore b/.gitignore index 63841e5..0b10e48 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/grafana-10.2.6.tar.gz -SOURCES/grafana-vendor-10.2.6-7.tar.xz -SOURCES/grafana-webpack-10.2.6-7.tar.gz +SOURCES/grafana-vendor-10.2.6-9.tar.xz +SOURCES/grafana-webpack-10.2.6-9.tar.gz diff --git a/.grafana.metadata b/.grafana.metadata index 484ff38..407fc5f 100644 --- a/.grafana.metadata +++ b/.grafana.metadata @@ -1,3 +1,3 @@ 5c65a9460e0d0ecff29e397b5889b4167f046142 SOURCES/grafana-10.2.6.tar.gz -2b4545a05745a2d2abb719ea9bd86b87f045cf42 SOURCES/grafana-vendor-10.2.6-7.tar.xz -3d7618ff21be2346cf59955487aa766f06e7a18c SOURCES/grafana-webpack-10.2.6-7.tar.gz +80512e6390fd349f9511269026061a2342f3f613 SOURCES/grafana-vendor-10.2.6-9.tar.xz +128ba33fc426b99ef66e9230a9c68925b9822b85 SOURCES/grafana-webpack-10.2.6-9.tar.gz diff --git a/SOURCES/0012-fix-jwt-CVE.patch b/SOURCES/0012-fix-jwt-CVE.patch new file mode 100644 index 0000000..04fc58e --- /dev/null +++ b/SOURCES/0012-fix-jwt-CVE.patch @@ -0,0 +1,28 @@ +diff --git a/go.mod b/go.mod +index fcbc09da5e6..1771902bc1c 100644 +--- a/go.mod ++++ b/go.mod +@@ -164,7 +164,7 @@ require ( + github.com/go-openapi/spec v0.20.9 // indirect + github.com/go-openapi/swag v0.22.4 // indirect + github.com/go-openapi/validate v0.22.1 // indirect +- github.com/golang-jwt/jwt/v4 v4.5.0 // @grafana/backend-platform ++ github.com/golang-jwt/jwt/v4 v4.5.2 // @grafana/backend-platform + github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect + github.com/golang/glog v1.1.2 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect +diff --git a/go.sum b/go.sum +index d05dfb55fd4..3a045f712eb 100644 +--- a/go.sum ++++ b/go.sum +@@ -1593,8 +1593,9 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw + github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= + github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= + github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= + github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= ++github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= ++github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= + github.com/golang-migrate/migrate/v4 v4.7.0 h1:gONcHxHApDTKXDyLH/H97gEHmpu1zcnnbAaq2zgrPrs= + github.com/golang-migrate/migrate/v4 v4.7.0/go.mod h1:Qvut3N4xKWjoH3sokBccML6WyHSnggXm/DvMMnTsQIc= + github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= diff --git a/SOURCES/create_bundles.sh b/SOURCES/create_bundles.sh index 00d4bdd..f4105d0 100644 --- a/SOURCES/create_bundles.sh +++ b/SOURCES/create_bundles.sh @@ -21,7 +21,7 @@ pushd "${SOURCE_DIR}" # Vendor Go dependencies patch -p1 --fuzz=0 < ../0004-remove-unused-backend-dependencies.patch -patch -p1 --fuzz=0 < ../0011-fix-dompurify-CVE.patch +patch -p1 --fuzz=0 < ../0012-fix-jwt-CVE.patch go mod vendor # Generate Go files @@ -60,6 +60,7 @@ awk '$2 ~ /^v/ && $4 != "indirect" {print "Provides: bundled(golang(" $1 ")) = " # Vendor Node.js dependencies patch -p1 --fuzz=0 < ../0005-remove-unused-frontend-crypto.patch +patch -p1 --fuzz=0 < ../0011-fix-dompurify-CVE.patch export HUSKY=0 yarn install --frozen-lockfile diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec index 7af6d35..09989ca 100644 --- a/SPECS/grafana.spec +++ b/SPECS/grafana.spec @@ -25,7 +25,7 @@ end} Name: grafana Version: 10.2.6 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Metrics dashboard and graph editor License: AGPL-3.0-only URL: https://grafana.org @@ -36,13 +36,13 @@ Source0: https://github.com/grafana/grafana/archive/v%{version}/%{name} # Source1 contains the bundled Go and Node.js dependencies # Note: In case there were no changes to this tarball, the NVR of this tarball # lags behind the NVR of this package. -Source1: grafana-vendor-%{version}-7.tar.xz +Source1: grafana-vendor-%{version}-9.tar.xz %if %{compile_frontend} == 0 # Source2 contains the precompiled frontend # Note: In case there were no changes to this tarball, the NVR of this tarball # lags behind the NVR of this package. -Source2: grafana-webpack-%{version}-7.tar.gz +Source2: grafana-webpack-%{version}-9.tar.gz %endif # Source3 contains the systemd-sysusers configuration @@ -78,6 +78,7 @@ Patch9: 0009-update-wrappers-and-systemd-with-distro-paths.patch # https://github.com/grafana/grafana/commit/bae86dbeb0ad68a205454e98e76985dc393183d4 Patch10: 0010-remove-bcrypt-references.patch Patch11: 0011-fix-dompurify-CVE.patch +Patch12: 0012-fix-jwt-CVE.patch # Patches affecting the vendor tarball Patch1001: 1001-vendor-patch-removed-backend-crypto.patch @@ -249,7 +250,7 @@ Provides: bundled(golang(github.com/andybalholm/brotli)) = 1.0.4 Provides: bundled(golang(github.com/go-kit/log)) = 0.2.1 Provides: bundled(golang(github.com/go-openapi/loads)) = 0.21.2 Provides: bundled(golang(github.com/go-openapi/runtime)) = 0.26.0 -Provides: bundled(golang(github.com/golang-jwt/jwt/v4)) = 4.5.0 +Provides: bundled(golang(github.com/golang-jwt/jwt/v4)) = 4.5.2 Provides: bundled(golang(github.com/golang/protobuf)) = 1.5.3 Provides: bundled(golang(github.com/googleapis/gax-go/v2)) = 2.12.0 Provides: bundled(golang(github.com/gorilla/mux)) = 1.8.0 @@ -779,6 +780,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux %patch -P 9 -p1 %patch -P 10 -p1 %patch -P 11 -p1 +%patch -P 12 -p1 %patch -P 1001 -p1 %if %{enable_fips_mode} @@ -1028,6 +1030,9 @@ fi %{_datadir}/selinux/*/grafana.pp %changelog +* Tue Mar 25 2025 Sam Feifer 10.2.6-9 +- Resolves RHEL-84634: CVE-2025-30204 + * Wed Jan 29 2025 Sam Feifer 10.2.6-8 - Resolves RHEL-75922: grafana selinux issue with autofs_t