Resolves: RHEL-84627

0012-fix-jwt-CVE.patch

@@ -0,0 +1,28 @@
+diff --git a/go.mod b/go.mod
+index fcbc09da5e6..1771902bc1c 100644
+--- a/go.mod
++++ b/go.mod
+@@ -164,7 +164,7 @@ require (
+ 	github.com/go-openapi/spec v0.20.9 // indirect
+ 	github.com/go-openapi/swag v0.22.4 // indirect
+ 	github.com/go-openapi/validate v0.22.1 // indirect
+-	github.com/golang-jwt/jwt/v4 v4.5.0 // @grafana/backend-platform
++	github.com/golang-jwt/jwt/v4 v4.5.2 // @grafana/backend-platform
+ 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
+ 	github.com/golang/glog v1.1.2 // indirect
+ 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+diff --git a/go.sum b/go.sum
+index d05dfb55fd4..3a045f712eb 100644
+--- a/go.sum
++++ b/go.sum
+@@ -1593,8 +1593,9 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw
+ github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
+ github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+ github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+ github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
++github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
++github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+ github.com/golang-migrate/migrate/v4 v4.7.0 h1:gONcHxHApDTKXDyLH/H97gEHmpu1zcnnbAaq2zgrPrs=
+ github.com/golang-migrate/migrate/v4 v4.7.0/go.mod h1:Qvut3N4xKWjoH3sokBccML6WyHSnggXm/DvMMnTsQIc=
+ github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=

create_bundles.sh

@@ -21,6 +21,7 @@ pushd "${SOURCE_DIR}"
 
 # Vendor Go dependencies
 patch -p1 --fuzz=0 < ../0004-remove-unused-backend-dependencies.patch
+patch -p1 --fuzz=0 < ../0012-fix-jwt-CVE.patch
 go mod vendor
 
 # Generate Go files

grafana.spec

@@ -25,7 +25,7 @@ end}
 
 Name:             grafana
 Version:          10.2.6
-Release:          14%{?dist}
+Release:          15%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@@ -36,13 +36,13 @@ Source0:          https://github.com/grafana/grafana/archive/v%{version}/%{name}
 # Source1 contains the bundled Go and Node.js dependencies
 # Note: In case there were no changes to this tarball, the NVR of this tarball
 # lags behind the NVR of this package.
-Source1:          grafana-vendor-%{version}-8.tar.xz
+Source1:          grafana-vendor-%{version}-15.tar.xz
 
 %if %{compile_frontend} == 0
 # Source2 contains the precompiled frontend
 # Note: In case there were no changes to this tarball, the NVR of this tarball
 # lags behind the NVR of this package.
-Source2:          grafana-webpack-%{version}-8.tar.gz
+Source2:          grafana-webpack-%{version}-15.tar.gz
 %endif
 
 # Source3 contains the systemd-sysusers configuration
@@ -77,6 +77,7 @@ Patch8:           0008-replace-faulty-slices-sort.patch
 Patch9:           0009-update-wrappers-and-systemd-with-distro-paths.patch
 Patch10:          0010-remove-bcrypt-references.patch
 Patch11:          0011-fix-dompurify-CVE.patch
+Patch12:          0012-fix-jwt-CVE.patch
 
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@@ -246,7 +247,7 @@ Provides: bundled(golang(github.com/andybalholm/brotli)) = 1.0.4
 Provides: bundled(golang(github.com/go-kit/log)) = 0.2.1
 Provides: bundled(golang(github.com/go-openapi/loads)) = 0.21.2
 Provides: bundled(golang(github.com/go-openapi/runtime)) = 0.26.0
-Provides: bundled(golang(github.com/golang-jwt/jwt/v4)) = 4.5.0
+Provides: bundled(golang(github.com/golang-jwt/jwt/v4)) = 4.5.2
 Provides: bundled(golang(github.com/golang/protobuf)) = 1.5.3
 Provides: bundled(golang(github.com/googleapis/gax-go/v2)) = 2.12.0
 Provides: bundled(golang(github.com/gorilla/mux)) = 1.8.0
@@ -776,6 +777,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 9 -p1
 %patch -P 10 -p1
 %patch -P 11 -p1
+%patch -P 12 -p1
 
 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@@ -1024,6 +1026,9 @@ fi
 %{_datadir}/selinux/*/grafana.pp
 
 %changelog
+* Tue Mar 25 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-15
+- Resolves RHEL-84627: CVE-2025-30204
+
 * Wed Jan 29 2025 Sam Feifer <sfeifer@redhat.com> - 10.2.6-14
 - Resolves RHEL-75917: grafana selinux issue with autofs_t
 

sources

@@ -1,3 +1,3 @@
 SHA512 (grafana-10.2.6.tar.gz) = 7244f4cb6572fe0403e6224f7247fbb273bbd1f359ee706a82001f0d409fb375d113f1cb24a657e845b93eb55ee98e1d7ae713e767c219f4d3b00eaf5c73d28e
-SHA512 (grafana-webpack-10.2.6-8.tar.gz) = 65c18e7ce7094a4a830440add8ee997208f9b17ea7f269f922641170a8d0f4230799420289d02dc1646291c6c89d8f17d5b01fd1fc7b04579091f00c37dbab16
-SHA512 (grafana-vendor-10.2.6-8.tar.xz) = 518033fedf1861a8e2d69967e34c2765a6b2d53c4c42dd491dbe49863548d895e83b5c1fe0304ba1744b9b20eece367ed3191dcab8c6d1787a658fbe2c22cbe0
+SHA512 (grafana-webpack-10.2.6-15.tar.gz) = 7e4a0f962bc0dbf0fffbc31599870c4099e421d4505644be0a412b26043dc7adb37e81f7b24621731f96d3c8a652009a9eef8cf68dd03e1351dc309fd87a1e6f
+SHA512 (grafana-vendor-10.2.6-15.tar.xz) = 1db5bedbbc84fecad9d07f9a44db0c17c9472387bdd0d58877415c756015dc579f109c1ae43a21ae97da5625806747ddd00b5f31be7965adabd316b1d6e943e1