rpms/grafana
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2023-3128

Browse Source 
Resolves: rhbz#2213698
This commit is contained in:
Stan Cox 2023-07-20 15:53:16 -04:00
parent 8961d51d19
commit 54f0b6ca94
2 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
0011-remove-email-lookup.patch Normal file
View File

@ -0,0 +1,61 @@
commit bae86dbeb0
Author: Ieva <ieva.vasiljeva@grafana.com>
Date: Tue Jun 6 17:45:31 2023 +0100
Auth: Remove Email Lookup from oauth integrations 9.2 (#898)
backport https://github.com/grafana/grafana-private-mirror/pull/894 to 9.3.x
diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
index 22014aee43..af00c56a68 100644
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@@ -302,16 +302,17 @@
connect social.SocialConnector,
) (*user.User, error) {
oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile")
+ lookupParams := models.UserLookupParams{}
+ if hs.Cfg.OAuthAllowInsecureEmailLookup {
+ lookupParams.Email = &extUser.Email
+ }
+
// add/update user in Grafana
cmd := &models.UpsertUserCommand{
- ReqContext: ctx,
- ExternalUser: extUser,
- SignupAllowed: connect.IsSignupAllowed(),
- UserLookupParams: models.UserLookupParams{
- Email: &extUser.Email,
- UserID: nil,
- Login: nil,
- },
+ ReqContext: ctx,
+ ExternalUser: extUser,
+ SignupAllowed: connect.IsSignupAllowed(),
+ UserLookupParams: lookupParams,
}
if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil {
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
index 20e8f78a2f..03aa5c17d8 100644
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -318,7 +318,8 @@
AuthProxySyncTTL int
// OAuth
- OAuthCookieMaxAge int
+ OAuthCookieMaxAge int
+ OAuthAllowInsecureEmailLookup bool
// JWT Auth
JWTAuthEnabled bool
@@ -1256,6 +1256,8 @@
return err
}
+ cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false)
+
const defaultMaxLifetime = "30d"
maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime)
cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)

7
grafana.spec
View File

@ -33,7 +33,7 @@ end}
Name: grafana Name: grafana
Version: 9.2.10 Version: 9.2.10
Release: 4%{?dist} Release: 5%{?dist}
Summary: Metrics dashboard and graph editor Summary: Metrics dashboard and graph editor
License: AGPLv3 License: AGPLv3
URL: https://grafana.org URL: https://grafana.org
@ -78,6 +78,7 @@ Patch6: 0006-skip-marketplace-plugin-install-test.patch
Patch7: 0007-fix-alert-test.patch Patch7: 0007-fix-alert-test.patch
Patch8: 0008-graphite-functions-xss.patch Patch8: 0008-graphite-functions-xss.patch
Patch10: 0010-skip-tests.patch Patch10: 0010-skip-tests.patch
Patch11: 0011-remove-email-lookup.patch
# Patches affecting the vendor tarball # Patches affecting the vendor tarball
Patch1001: 1001-vendor-patch-removed-backend-crypto.patch Patch1001: 1001-vendor-patch-removed-backend-crypto.patch
@ -736,6 +737,7 @@ rm -r plugins-bundled
%patch -P 7 -p1 %patch -P 7 -p1
%patch -P 8 -p1 %patch -P 8 -p1
%patch -P 10 -p1 %patch -P 10 -p1
%patch -P 11 -p1
%patch -P 1001 -p1 %patch -P 1001 -p1
%if %{enable_fips_mode} %if %{enable_fips_mode}
@ -931,6 +933,9 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio
%changelog %changelog
* Thu Jul 20 2023 Stan Cox <scox@redhat.com> 9.2.10-5
- resolve CVE-2023-3128 grafana: account takeover possible when using Azure AD OAuth
* Thu Jun 8 2023 Stan Cox <scox@redhat.com> 9.2.10-4 * Thu Jun 8 2023 Stan Cox <scox@redhat.com> 9.2.10-4
- bumps exporter-toolkit to v0.7.3, sanitize-url@npm to 6.0.2, skip problematic s390 tests. - bumps exporter-toolkit to v0.7.3, sanitize-url@npm to 6.0.2, skip problematic s390 tests.