From 2e348372ef90b95b1f83c9d7227f23fa4ac568fd Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 19 May 2026 15:10:59 -0400 Subject: [PATCH] import CS grafana-10.2.6-25.el10 --- 0015-Fix-CVE-2026-27877.patch | 123 ---------------------------------- grafana.spec | 31 ++++----- 2 files changed, 12 insertions(+), 142 deletions(-) delete mode 100644 0015-Fix-CVE-2026-27877.patch diff --git a/0015-Fix-CVE-2026-27877.patch b/0015-Fix-CVE-2026-27877.patch deleted file mode 100644 index 51c49a0..0000000 --- a/0015-Fix-CVE-2026-27877.patch +++ /dev/null @@ -1,123 +0,0 @@ -diff --git a/pkg/api/frontendsettings.go b/pkg/api/frontendsettings.go -index 215714b6f83..36949e126b9 100644 ---- a/pkg/api/frontendsettings.go -+++ b/pkg/api/frontendsettings.go -@@ -1,6 +1,7 @@ - package api - - import ( -+ "bytes" - "context" - "fmt" - "net/http" -@@ -18,6 +19,7 @@ import ( - "github.com/grafana/grafana/pkg/services/pluginsintegration/pluginsettings" - "github.com/grafana/grafana/pkg/services/pluginsintegration/pluginstore" - "github.com/grafana/grafana/pkg/services/secrets/kvstore" -+ dashboardkind "github.com/grafana/grafana/pkg/services/store/kind/dashboard" - "github.com/grafana/grafana/pkg/setting" - "github.com/grafana/grafana/pkg/tsdb/grafanads" - "github.com/grafana/grafana/pkg/util" -@@ -297,7 +299,12 @@ func (hs *HTTPServer) getFSDataSources(c *contextmodel.ReqContext, availablePlug - - if c.IsPublicDashboardView() { - // If RBAC is enabled, it will filter out all datasources for a public user, so we need to skip it -- orgDataSources = dataSources -+ // But we can filter to only include datasources actually used by the dashboard -+ filtered, err := hs.publicDashFilterUsedDataSources(c, dataSources) -+ if err != nil { -+ return nil, err -+ } -+ orgDataSources = filtered - } else { - filtered, err := hs.dsGuardian.New(c.SignedInUser.OrgID, c.SignedInUser).FilterDatasourcesByQueryPermissions(dataSources) - if err != nil { -@@ -633,3 +640,36 @@ func (hs *HTTPServer) getEnabledOAuthProviders() map[string]any { - } - return providers - } -+ -+func (hs *HTTPServer) publicDashFilterUsedDataSources(c *contextmodel.ReqContext, allDataSources []*datasources.DataSource) ([]*datasources.DataSource, error) { -+ _, dash, err := hs.PublicDashboardsApi.PublicDashboardService.FindPublicDashboardAndDashboardByAccessToken(c.Req.Context(), c.PublicDashboardAccessToken) -+ if err != nil { -+ return nil, err -+ } -+ -+ payload, err := dash.Data.Encode() -+ if err != nil { -+ return nil, fmt.Errorf("failed to encode dashboard data: %w", err) -+ } -+ -+ lookup := dashboardkind.CreateDatasourceLookup([]*dashboardkind.DatasourceQueryResult{}) -+ -+ usedDSRefs, err := dashboardkind.ReadDashboard(bytes.NewReader(payload), lookup) -+ if err != nil { -+ return nil, fmt.Errorf("failed to parse dashboard: %w", err) -+ } -+ -+ usedUIDs := make(map[string]struct{}, len(usedDSRefs)) -+ for _, ds := range usedDSRefs { -+ usedUIDs[ds.UID] = struct{}{} -+ } -+ -+ filtered := make([]*datasources.DataSource, 0) -+ for _, ds := range allDataSources { -+ if _, ok := usedUIDs[ds.UID]; ok { -+ filtered = append(filtered, ds) -+ } -+ } -+ -+ return filtered, nil -+} -diff --git a/pkg/services/store/kind/dashboard/dashboard.go b/pkg/services/store/kind/dashboard/dashboard.go -index b325acd8c57..054dcafe8ca 100644 ---- a/pkg/services/store/kind/dashboard/dashboard.go -+++ b/pkg/services/store/kind/dashboard/dashboard.go -@@ -112,8 +112,17 @@ func newDatasourceVariableLookup(dsLookup DatasourceLookup) *datasourceVariableL - } - } - -+// ReadDashboard parses dashboard JSON and returns the data sources used in the dashboard. -+func ReadDashboard(stream io.Reader, lookup DatasourceLookup) ([]DataSourceRef, error) { -+ info, err := readDashboard(stream, lookup) -+ if err != nil { -+ return nil, err -+ } -+ return info.Datasource, nil -+} -+ - // nolint:gocyclo --// ReadDashboard will take a byte stream and return dashboard info -+// readDashboard will take a byte stream and return dashboard info - func readDashboard(stream io.Reader, lookup DatasourceLookup) (*dashboardInfo, error) { - dash := &dashboardInfo{} - -diff --git a/pkg/services/store/kind/dashboard/ds_lookup.go b/pkg/services/store/kind/dashboard/ds_lookup.go -index 5d132d569be..7330e598409 100644 ---- a/pkg/services/store/kind/dashboard/ds_lookup.go -+++ b/pkg/services/store/kind/dashboard/ds_lookup.go -@@ -100,6 +100,9 @@ func (d *DsLookup) ByRef(ref *DataSourceRef) *DataSourceRef { - if ref == nil { - return d.defaultDS - } -+ if ref.UID == "default" && ref.Type == "" { -+ return d.defaultDS -+ } - - key := "" - if ref.UID != "" { -@@ -117,7 +120,13 @@ func (d *DsLookup) ByRef(ref *DataSourceRef) *DataSourceRef { - return ds - } - -- return d.byName[key] -+ ds, ok = d.byName[key] -+ if ok { -+ return ds -+ } -+ -+ // With nothing was found (or configured), use the original reference -+ return ref - } - - func (d *DsLookup) ByType(dsType string) []DataSourceRef { diff --git a/grafana.spec b/grafana.spec index e3ed917..7792c7f 100644 --- a/grafana.spec +++ b/grafana.spec @@ -81,7 +81,6 @@ Patch11: 0011-fix-dompurify-CVE.patch Patch12: 0012-fix-jwt-CVE.patch Patch13: 0013-fix-CVE-2025-4123.patch Patch14: 0014-Fix-CVE-2026-21721.patch -Patch15: 0015-Fix-CVE-2026-27877.patch # Patches affecting the vendor tarball Patch1001: 1001-vendor-patch-removed-backend-crypto.patch @@ -776,7 +775,6 @@ rm -r plugins-bundled %patch -P 12 -p1 %patch -P 13 -p1 %patch -P 14 -p1 -%patch -P 15 -p1 %patch -P 1001 -p1 %if %{enable_fips_mode} @@ -1021,26 +1019,21 @@ done %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/*/active/modules/200/grafana %changelog -* Tue Apr 28 2026 Sam Feifer 10.2.6-25 -- Resolves RHEL-166432: CVE-2026-32282 -- Resolves RHEL-167473: CVE-2026-32283 +* Wed Apr 1 2026 Sam Feifer 10.2.6-25 +- Resolves RHEL-156596: CVE-2026-25679 -* Wed Apr 22 2026 Sam Feifer 10.2.6-24 -- Resolves RHEL-161790: CVE-2026-27877 +* Mon Feb 16 2026 Sam Feifer 10.2.6-24 +- Resolves RHEL-144949: CVE-2026-21721 +- Resolves RHEL-145413: CVE-2025-61728 +- Resolves RHEL-146073: CVE-2025-61726 +- Resolves RHEL-149246: CVE-2025-68121 -* Tue Mar 31 2026 Sam Feifer 10.2.6-23 -- Resolves RHEL-158458: CVE-2026-25679 +* Mon Jan 26 2026 Sam Feifer 10.2.6-23 +- Resolves RHEL-140516: CVE-2025-61729 -* Tue Feb 17 2026 Sam Feifer 10.2.6-22 -- Resolves RHEL-144948: CVE-2026-21721 -- Resolves RHEL-146721: CVE-2025-61726 -- Resolves RHEL-146926: CVE-2025-61729 -- Resolves RHEL-147351: CVE-2025-61728 -- Resolves RHEL-149227: CVE-2025-68121 - -* Wed Dec 3 2025 Sam Feifer 10.2.6-21 -- Resolves RHEL-125631: CVE-2025-58183 -- Resolves RHEL-132760: Grafana-selinux prevents plugins from searching cgroups +* Mon Dec 1 2025 Sam Feifer 10.2.6-22 +- Resolves RHEL-125629: CVE-2025-58183 +- Resolves RHEL-132756: Grafana-selinux prevents plugins from searching cgroups * Wed Jun 18 2025 Sam Feifer 10.2.6-20 - Resolves RHEL-97520: Rework grafana-selinux spec file sections