From 6463efb1e20502270e66105d6175c3639a049697 Mon Sep 17 00:00:00 2001 From: Andreas Gerstmayr Date: Tue, 18 Jan 2022 17:03:36 +0100 Subject: [PATCH] update to upstream Grafana 7.5.13, support go1.18 --- 002-manpages.patch | 4 +- 011-CVE-2021-43813.patch | 52 ------------------- ...ac-sha-256-for-password-reset-tokens.patch | 0 012-support-go1.18.patch | 28 ++++++++++ Makefile | 6 ++- grafana.spec | 16 +++--- sources | 6 +-- 7 files changed, 47 insertions(+), 65 deletions(-) delete mode 100644 011-CVE-2021-43813.patch rename 012-use-hmac-sha-256-for-password-reset-tokens.patch => 011-use-hmac-sha-256-for-password-reset-tokens.patch (100%) create mode 100644 012-support-go1.18.patch diff --git a/002-manpages.patch b/002-manpages.patch index 36ca294..d982b5d 100644 --- a/002-manpages.patch +++ b/002-manpages.patch @@ -4,7 +4,7 @@ index 0000000000..7ac2af882c --- /dev/null +++ b/docs/man/man1/grafana-cli.1 @@ -0,0 +1,60 @@ -+.TH GRAFANA "1" "October 2021" "Grafana cli version 7.5.11" "User Commands" ++.TH GRAFANA "1" "January 2022" "Grafana cli version 7.5.13" "User Commands" +.SH NAME +grafana-cli \- command line administration for the Grafana metrics dashboard and graph editor +.SH DESCRIPTION @@ -70,7 +70,7 @@ index 0000000000..c616268b31 --- /dev/null +++ b/docs/man/man1/grafana-server.1 @@ -0,0 +1,72 @@ -+.TH VERSION "1" "October 2021" "Version 7.5.11" "User Commands" ++.TH VERSION "1" "January 2022" "Version 7.5.13" "User Commands" +.SH NAME +grafana-server \- back-end server for the Grafana metrics dashboard and graph editor +.SH DESCRIPTION diff --git a/011-CVE-2021-43813.patch b/011-CVE-2021-43813.patch deleted file mode 100644 index 375b364..0000000 --- a/011-CVE-2021-43813.patch +++ /dev/null @@ -1,52 +0,0 @@ -commit ea77415cfe2cefe46ffce233076a1409abaa8df7 -Author: Will Browne -Date: Fri Dec 10 11:29:12 2021 +0000 - - apply fix (#42969) - -diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go -index e6370a29e7..c7199c716e 100644 ---- a/pkg/plugins/plugins.go -+++ b/pkg/plugins/plugins.go -@@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { - } - - // nolint:gosec -- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based -- // on plugin the folder structure on disk and not user input. -- path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name))) -+ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently -+ // use this with a prefix of the plugin's directory, which is set during plugin loading -+ path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name))) - exists, err := fs.Exists(path) - if err != nil { - return nil, err - } - if !exists { -- path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name))) -+ path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name))) - } - - exists, err = fs.Exists(path) -@@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { - } - - // nolint:gosec -- // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based -- // on plugin the folder structure on disk and not user input. -+ // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently -+ // use this with a prefix of the plugin's directory, which is set during plugin loading - data, err := ioutil.ReadFile(path) - if err != nil { - return nil, err -@@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { - return data, nil - } - -+func mdFilepath(mdFilename string) string { -+ return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename))) -+} -+ - // gets plugin filenames that require verification for plugin signing - func collectPluginFilesWithin(rootDir string) ([]string, error) { - var files []string diff --git a/012-use-hmac-sha-256-for-password-reset-tokens.patch b/011-use-hmac-sha-256-for-password-reset-tokens.patch similarity index 100% rename from 012-use-hmac-sha-256-for-password-reset-tokens.patch rename to 011-use-hmac-sha-256-for-password-reset-tokens.patch diff --git a/012-support-go1.18.patch b/012-support-go1.18.patch new file mode 100644 index 0000000..4e6d70e --- /dev/null +++ b/012-support-go1.18.patch @@ -0,0 +1,28 @@ +# json-iterator/go supports go1.18 since v1.1.12 +# https://github.com/json-iterator/go/releases/tag/v1.1.12 +# +# gonum.org/v1/gonum supports go1.18 since commit cccd8af5f6bd1539dd688c88102cb37e9117f96a +# https://github.com/gonum/gonum/pull/1729 + +diff --git a/go.mod b/go.mod +index 67932fe072..2aa638fe9a 100644 +--- a/go.mod ++++ b/go.mod +@@ -55,7 +55,7 @@ require ( + github.com/jaegertracing/jaeger v1.22.1-0.20210304164023-2fff3ca58910 + github.com/jmespath/go-jmespath v0.4.0 + github.com/jonboulle/clockwork v0.2.2 // indirect +- github.com/json-iterator/go v1.1.10 ++ github.com/json-iterator/go v1.1.12 + github.com/lib/pq v1.9.0 + github.com/linkedin/goavro/v2 v2.10.0 + github.com/magefile/mage v1.11.0 +@@ -88,7 +88,7 @@ require ( + golang.org/x/oauth2 v0.0.0-20210113205817-d3ed898aa8a3 + golang.org/x/sync v0.0.0-20201207232520-09787c993a3a + golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e +- gonum.org/v1/gonum v0.8.2 ++ gonum.org/v1/gonum v0.9.1-0.20220120213227-d4eca1bbc084 + google.golang.org/api v0.40.0 + google.golang.org/grpc v1.36.0 + gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect diff --git a/Makefile b/Makefile index dab531d..1a4ea40 100644 --- a/Makefile +++ b/Makefile @@ -13,11 +13,13 @@ WEBPACK_TAR := $(RPM_NAME)-webpack-$(VERSION)-$(RELEASE).tar.gz # - changes in Go module imports (which affect the vendored Go modules) PATCHES_PRE_VENDOR := \ 005-remove-unused-dependencies.patch \ - 008-remove-unused-frontend-crypto.patch + 008-remove-unused-frontend-crypto.patch \ + 012-support-go1.18.patch # patches which must be applied before creating the webpack, for example: # - changes in Node.js sources or vendored dependencies -PATCHES_PRE_WEBPACK := +PATCHES_PRE_WEBPACK := \ + 008-remove-unused-frontend-crypto.patch all: $(SOURCE_TAR) $(VENDOR_TAR) $(WEBPACK_TAR) diff --git a/grafana.spec b/grafana.spec index dbf2db5..2d65448 100644 --- a/grafana.spec +++ b/grafana.spec @@ -29,8 +29,8 @@ end} %endif Name: grafana -Version: 7.5.11 -Release: 4%{?dist} +Version: 7.5.13 +Release: 1%{?dist} Summary: Metrics dashboard and graph editor License: ASL 2.0 URL: https://grafana.org @@ -91,9 +91,9 @@ Patch9: 009-patch-unused-backend-crypto.patch # if FIPS mode is enabled. Patch10: 010-fips.patch -Patch11: 011-CVE-2021-43813.patch +Patch11: 011-use-hmac-sha-256-for-password-reset-tokens.patch -Patch12: 012-use-hmac-sha-256-for-password-reset-tokens.patch +Patch12: 012-support-go1.18.patch # Intersection of go_arches and nodejs_arches ExclusiveArch: %{grafana_arches} @@ -197,7 +197,7 @@ Provides: bundled(golang(github.com/inconshreveable/log15)) = 0.0.0-201808181646 Provides: bundled(golang(github.com/influxdata/influxdb-client-go/v2)) = 2.2.0 Provides: bundled(golang(github.com/jaegertracing/jaeger)) = 1.22.1-0.20210304164023.2fff3ca58910 Provides: bundled(golang(github.com/jmespath/go-jmespath)) = 0.4.0 -Provides: bundled(golang(github.com/json-iterator/go)) = 1.1.10 +Provides: bundled(golang(github.com/json-iterator/go)) = 1.1.12 Provides: bundled(golang(github.com/lib/pq)) = 1.9.0 Provides: bundled(golang(github.com/linkedin/goavro/v2)) = 2.10.0 Provides: bundled(golang(github.com/magefile/mage)) = 1.11.0 @@ -230,7 +230,7 @@ Provides: bundled(golang(golang.org/x/net)) = 0.0.0-20210119194325.5f4716e94777 Provides: bundled(golang(golang.org/x/oauth2)) = 0.0.0-20210113205817.d3ed898aa8a3 Provides: bundled(golang(golang.org/x/sync)) = 0.0.0-20201207232520.09787c993a3a Provides: bundled(golang(golang.org/x/time)) = 0.0.0-20200630173020.3af7569d3a1e -Provides: bundled(golang(gonum.org/v1/gonum)) = 0.8.2 +Provides: bundled(golang(gonum.org/v1/gonum)) = 0.9.1-0.20220120213227.d4eca1bbc084 Provides: bundled(golang(google.golang.org/api)) = 0.40.0 Provides: bundled(golang(google.golang.org/grpc)) = 1.36.0 Provides: bundled(golang(gopkg.in/ini.v1)) = 1.62.0 @@ -680,6 +680,10 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio %changelog +* Fri Jan 28 2022 Andreas Gerstmayr 7.5.13-1 +- update to 7.5.13 tagged upstream community sources, see CHANGELOG +- support Go 1.18 + * Thu Jan 20 2022 Fedora Release Engineering - 7.5.11-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild diff --git a/sources b/sources index 2206676..df36ea7 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (grafana-7.5.11.tar.gz) = 355af8d8cff77b2222d18559add8d2a16b086f6354d92b188d2f26fc0b7ffa04b877e568ddcfbc61b8786bdfdc59263009b727ef00b56438ef3fa9bbe6d80583 -SHA512 (grafana-webpack-7.5.11-1.tar.gz) = da927873d5797849783b02126e3f30384fd02ded604c3e50667a27ba1d1c9f9fb6a646ec48f1ac141ffd261c4132b303ffb970d84418332dae60f375258268f6 -SHA512 (grafana-vendor-7.5.11-1.tar.xz) = 37437f704ee51323d058072a63c3e8700268bf97dd58577a6f6c64b9c8f7ee35b120aa46ba8aea3854a088eddd6a59c24cee0232ecfa52de5b8c8cba5041a96e +SHA512 (grafana-7.5.13.tar.gz) = 25ae342cce34b4b120d278036ff2e515da74b62eec2283bb4c6f49e096163afaf6ae3ed3365e55d5a2b15d89db102724951948efdd876b2358d93cf0aac9a148 +SHA512 (grafana-webpack-7.5.13-1.tar.gz) = 5c5c45b548bca1a784f9de0c49aff5fb43d12a63b8c4a49639c34438cdc9b58e6cb5a0f027219b2090de5ba0ecc6919c813569ee4941e1c921843b77733079a7 +SHA512 (grafana-vendor-7.5.13-1.tar.xz) = 4418e4b4c2df70f1a13ef6f56b20e6afc12f10f57533877aa626313163de7e0766dc4f1b676d54e15c6063c6a4114e5360ecdce40be87561ff68e7f54bdc5da6