import OL grafana-10.2.6-9.el9_5

.gitignore

@@ -1,3 +1,3 @@
 SOURCES/grafana-10.2.6.tar.gz
-SOURCES/grafana-vendor-10.2.6-7.tar.xz
-SOURCES/grafana-webpack-10.2.6-7.tar.gz
+SOURCES/grafana-vendor-10.2.6-9.tar.xz
+SOURCES/grafana-webpack-10.2.6-9.tar.gz

.grafana.metadata

@@ -1,3 +1,3 @@
 5c65a9460e0d0ecff29e397b5889b4167f046142 SOURCES/grafana-10.2.6.tar.gz
-2b4545a05745a2d2abb719ea9bd86b87f045cf42 SOURCES/grafana-vendor-10.2.6-7.tar.xz
-3d7618ff21be2346cf59955487aa766f06e7a18c SOURCES/grafana-webpack-10.2.6-7.tar.gz
+80512e6390fd349f9511269026061a2342f3f613 SOURCES/grafana-vendor-10.2.6-9.tar.xz
+128ba33fc426b99ef66e9230a9c68925b9822b85 SOURCES/grafana-webpack-10.2.6-9.tar.gz

SOURCES/0012-fix-jwt-CVE.patch

@@ -0,0 +1,28 @@
+diff --git a/go.mod b/go.mod
+index fcbc09da5e6..1771902bc1c 100644
+--- a/go.mod
++++ b/go.mod
+@@ -164,7 +164,7 @@ require (
+ 	github.com/go-openapi/spec v0.20.9 // indirect
+ 	github.com/go-openapi/swag v0.22.4 // indirect
+ 	github.com/go-openapi/validate v0.22.1 // indirect
+-	github.com/golang-jwt/jwt/v4 v4.5.0 // @grafana/backend-platform
++	github.com/golang-jwt/jwt/v4 v4.5.2 // @grafana/backend-platform
+ 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
+ 	github.com/golang/glog v1.1.2 // indirect
+ 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+diff --git a/go.sum b/go.sum
+index d05dfb55fd4..3a045f712eb 100644
+--- a/go.sum
++++ b/go.sum
+@@ -1593,8 +1593,9 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw
+ github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
+ github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+ github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+ github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
++github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
++github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+ github.com/golang-migrate/migrate/v4 v4.7.0 h1:gONcHxHApDTKXDyLH/H97gEHmpu1zcnnbAaq2zgrPrs=
+ github.com/golang-migrate/migrate/v4 v4.7.0/go.mod h1:Qvut3N4xKWjoH3sokBccML6WyHSnggXm/DvMMnTsQIc=
+ github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=

SOURCES/create_bundles.sh

@@ -21,7 +21,7 @@ pushd "${SOURCE_DIR}"
 
 # Vendor Go dependencies
 patch -p1 --fuzz=0 < ../0004-remove-unused-backend-dependencies.patch
-patch -p1 --fuzz=0 < ../0011-fix-dompurify-CVE.patch
+patch -p1 --fuzz=0 < ../0012-fix-jwt-CVE.patch
 go mod vendor
 
 # Generate Go files
@@ -60,6 +60,7 @@ awk '$2 ~ /^v/ && $4 != "indirect" {print "Provides: bundled(golang(" $1 ")) = "
 
 # Vendor Node.js dependencies
 patch -p1 --fuzz=0 < ../0005-remove-unused-frontend-crypto.patch
+patch -p1 --fuzz=0 < ../0011-fix-dompurify-CVE.patch
 export HUSKY=0
 yarn install --frozen-lockfile
 

SPECS/grafana.spec

@@ -25,7 +25,7 @@ end}
 
 Name:             grafana
 Version:          10.2.6
-Release:          8%{?dist}
+Release:          9%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@@ -36,13 +36,13 @@ Source0:          https://github.com/grafana/grafana/archive/v%{version}/%{name}
 # Source1 contains the bundled Go and Node.js dependencies
 # Note: In case there were no changes to this tarball, the NVR of this tarball
 # lags behind the NVR of this package.
-Source1:          grafana-vendor-%{version}-7.tar.xz
+Source1:          grafana-vendor-%{version}-9.tar.xz
 
 %if %{compile_frontend} == 0
 # Source2 contains the precompiled frontend
 # Note: In case there were no changes to this tarball, the NVR of this tarball
 # lags behind the NVR of this package.
-Source2:          grafana-webpack-%{version}-7.tar.gz
+Source2:          grafana-webpack-%{version}-9.tar.gz
 %endif
 
 # Source3 contains the systemd-sysusers configuration
@@ -78,6 +78,7 @@ Patch9:           0009-update-wrappers-and-systemd-with-distro-paths.patch
 # https://github.com/grafana/grafana/commit/bae86dbeb0ad68a205454e98e76985dc393183d4
 Patch10:          0010-remove-bcrypt-references.patch
 Patch11:          0011-fix-dompurify-CVE.patch
+Patch12:          0012-fix-jwt-CVE.patch
 
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@@ -249,7 +250,7 @@ Provides: bundled(golang(github.com/andybalholm/brotli)) = 1.0.4
 Provides: bundled(golang(github.com/go-kit/log)) = 0.2.1
 Provides: bundled(golang(github.com/go-openapi/loads)) = 0.21.2
 Provides: bundled(golang(github.com/go-openapi/runtime)) = 0.26.0
-Provides: bundled(golang(github.com/golang-jwt/jwt/v4)) = 4.5.0
+Provides: bundled(golang(github.com/golang-jwt/jwt/v4)) = 4.5.2
 Provides: bundled(golang(github.com/golang/protobuf)) = 1.5.3
 Provides: bundled(golang(github.com/googleapis/gax-go/v2)) = 2.12.0
 Provides: bundled(golang(github.com/gorilla/mux)) = 1.8.0
@@ -779,6 +780,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 9 -p1
 %patch -P 10 -p1
 %patch -P 11 -p1
+%patch -P 12 -p1
 
 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@@ -1028,6 +1030,9 @@ fi
 %{_datadir}/selinux/*/grafana.pp
 
 %changelog
+* Tue Mar 25 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-9
+- Resolves RHEL-84634: CVE-2025-30204
+
 * Wed Jan 29 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-8
 - Resolves RHEL-75922: grafana selinux issue with autofs_t