import CS grafana-10.2.6-25.el10

This commit is contained in:
AlmaLinux RelEng Bot 2026-05-19 15:10:59 -04:00
parent 0445a60813
commit 2e348372ef
2 changed files with 12 additions and 142 deletions

View File

@ -1,123 +0,0 @@
diff --git a/pkg/api/frontendsettings.go b/pkg/api/frontendsettings.go
index 215714b6f83..36949e126b9 100644
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@@ -1,6 +1,7 @@
package api
import (
+ "bytes"
"context"
"fmt"
"net/http"
@@ -18,6 +19,7 @@ import (
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginsettings"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginstore"
"github.com/grafana/grafana/pkg/services/secrets/kvstore"
+ dashboardkind "github.com/grafana/grafana/pkg/services/store/kind/dashboard"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/tsdb/grafanads"
"github.com/grafana/grafana/pkg/util"
@@ -297,7 +299,12 @@ func (hs *HTTPServer) getFSDataSources(c *contextmodel.ReqContext, availablePlug
if c.IsPublicDashboardView() {
// If RBAC is enabled, it will filter out all datasources for a public user, so we need to skip it
- orgDataSources = dataSources
+ // But we can filter to only include datasources actually used by the dashboard
+ filtered, err := hs.publicDashFilterUsedDataSources(c, dataSources)
+ if err != nil {
+ return nil, err
+ }
+ orgDataSources = filtered
} else {
filtered, err := hs.dsGuardian.New(c.SignedInUser.OrgID, c.SignedInUser).FilterDatasourcesByQueryPermissions(dataSources)
if err != nil {
@@ -633,3 +640,36 @@ func (hs *HTTPServer) getEnabledOAuthProviders() map[string]any {
}
return providers
}
+
+func (hs *HTTPServer) publicDashFilterUsedDataSources(c *contextmodel.ReqContext, allDataSources []*datasources.DataSource) ([]*datasources.DataSource, error) {
+ _, dash, err := hs.PublicDashboardsApi.PublicDashboardService.FindPublicDashboardAndDashboardByAccessToken(c.Req.Context(), c.PublicDashboardAccessToken)
+ if err != nil {
+ return nil, err
+ }
+
+ payload, err := dash.Data.Encode()
+ if err != nil {
+ return nil, fmt.Errorf("failed to encode dashboard data: %w", err)
+ }
+
+ lookup := dashboardkind.CreateDatasourceLookup([]*dashboardkind.DatasourceQueryResult{})
+
+ usedDSRefs, err := dashboardkind.ReadDashboard(bytes.NewReader(payload), lookup)
+ if err != nil {
+ return nil, fmt.Errorf("failed to parse dashboard: %w", err)
+ }
+
+ usedUIDs := make(map[string]struct{}, len(usedDSRefs))
+ for _, ds := range usedDSRefs {
+ usedUIDs[ds.UID] = struct{}{}
+ }
+
+ filtered := make([]*datasources.DataSource, 0)
+ for _, ds := range allDataSources {
+ if _, ok := usedUIDs[ds.UID]; ok {
+ filtered = append(filtered, ds)
+ }
+ }
+
+ return filtered, nil
+}
diff --git a/pkg/services/store/kind/dashboard/dashboard.go b/pkg/services/store/kind/dashboard/dashboard.go
index b325acd8c57..054dcafe8ca 100644
--- a/pkg/services/store/kind/dashboard/dashboard.go
+++ b/pkg/services/store/kind/dashboard/dashboard.go
@@ -112,8 +112,17 @@ func newDatasourceVariableLookup(dsLookup DatasourceLookup) *datasourceVariableL
}
}
+// ReadDashboard parses dashboard JSON and returns the data sources used in the dashboard.
+func ReadDashboard(stream io.Reader, lookup DatasourceLookup) ([]DataSourceRef, error) {
+ info, err := readDashboard(stream, lookup)
+ if err != nil {
+ return nil, err
+ }
+ return info.Datasource, nil
+}
+
// nolint:gocyclo
-// ReadDashboard will take a byte stream and return dashboard info
+// readDashboard will take a byte stream and return dashboard info
func readDashboard(stream io.Reader, lookup DatasourceLookup) (*dashboardInfo, error) {
dash := &dashboardInfo{}
diff --git a/pkg/services/store/kind/dashboard/ds_lookup.go b/pkg/services/store/kind/dashboard/ds_lookup.go
index 5d132d569be..7330e598409 100644
--- a/pkg/services/store/kind/dashboard/ds_lookup.go
+++ b/pkg/services/store/kind/dashboard/ds_lookup.go
@@ -100,6 +100,9 @@ func (d *DsLookup) ByRef(ref *DataSourceRef) *DataSourceRef {
if ref == nil {
return d.defaultDS
}
+ if ref.UID == "default" && ref.Type == "" {
+ return d.defaultDS
+ }
key := ""
if ref.UID != "" {
@@ -117,7 +120,13 @@ func (d *DsLookup) ByRef(ref *DataSourceRef) *DataSourceRef {
return ds
}
- return d.byName[key]
+ ds, ok = d.byName[key]
+ if ok {
+ return ds
+ }
+
+ // With nothing was found (or configured), use the original reference
+ return ref
}
func (d *DsLookup) ByType(dsType string) []DataSourceRef {

View File

@ -81,7 +81,6 @@ Patch11: 0011-fix-dompurify-CVE.patch
Patch12: 0012-fix-jwt-CVE.patch
Patch13: 0013-fix-CVE-2025-4123.patch
Patch14: 0014-Fix-CVE-2026-21721.patch
Patch15: 0015-Fix-CVE-2026-27877.patch
# Patches affecting the vendor tarball
Patch1001: 1001-vendor-patch-removed-backend-crypto.patch
@ -776,7 +775,6 @@ rm -r plugins-bundled
%patch -P 12 -p1
%patch -P 13 -p1
%patch -P 14 -p1
%patch -P 15 -p1
%patch -P 1001 -p1
%if %{enable_fips_mode}
@ -1021,26 +1019,21 @@ done
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/*/active/modules/200/grafana
%changelog
* Tue Apr 28 2026 Sam Feifer <sfeifer@redhat.com> 10.2.6-25
- Resolves RHEL-166432: CVE-2026-32282
- Resolves RHEL-167473: CVE-2026-32283
* Wed Apr 1 2026 Sam Feifer <sfeifer@redhat.com> 10.2.6-25
- Resolves RHEL-156596: CVE-2026-25679
* Wed Apr 22 2026 Sam Feifer <sfeifer@redhat.com> 10.2.6-24
- Resolves RHEL-161790: CVE-2026-27877
* Mon Feb 16 2026 Sam Feifer <sfeifer@redhat.com> 10.2.6-24
- Resolves RHEL-144949: CVE-2026-21721
- Resolves RHEL-145413: CVE-2025-61728
- Resolves RHEL-146073: CVE-2025-61726
- Resolves RHEL-149246: CVE-2025-68121
* Tue Mar 31 2026 Sam Feifer <sfeifer@redhat.com> 10.2.6-23
- Resolves RHEL-158458: CVE-2026-25679
* Mon Jan 26 2026 Sam Feifer <sfeifer@redhat.com> 10.2.6-23
- Resolves RHEL-140516: CVE-2025-61729
* Tue Feb 17 2026 Sam Feifer <sfeifer@redhat.com> 10.2.6-22
- Resolves RHEL-144948: CVE-2026-21721
- Resolves RHEL-146721: CVE-2025-61726
- Resolves RHEL-146926: CVE-2025-61729
- Resolves RHEL-147351: CVE-2025-61728
- Resolves RHEL-149227: CVE-2025-68121
* Wed Dec 3 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-21
- Resolves RHEL-125631: CVE-2025-58183
- Resolves RHEL-132760: Grafana-selinux prevents plugins from searching cgroups
* Mon Dec 1 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-22
- Resolves RHEL-125629: CVE-2025-58183
- Resolves RHEL-132756: Grafana-selinux prevents plugins from searching cgroups
* Wed Jun 18 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-20
- Resolves RHEL-97520: Rework grafana-selinux spec file sections