diff --git a/0011-remove-email-lookup.patch b/0011-remove-email-lookup.patch new file mode 100644 index 0000000..27a68b1 --- /dev/null +++ b/0011-remove-email-lookup.patch @@ -0,0 +1,61 @@ +commit bae86dbeb0 +Author: Ieva +Date: Tue Jun 6 17:45:31 2023 +0100 + + Auth: Remove Email Lookup from oauth integrations 9.2 (#898) + + backport https://github.com/grafana/grafana-private-mirror/pull/894 to 9.3.x + +diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go +index 22014aee43..af00c56a68 100644 +--- a/pkg/api/login_oauth.go ++++ b/pkg/api/login_oauth.go +@@ -302,16 +302,17 @@ + connect social.SocialConnector, + ) (*user.User, error) { + oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile") ++ lookupParams := models.UserLookupParams{} ++ if hs.Cfg.OAuthAllowInsecureEmailLookup { ++ lookupParams.Email = &extUser.Email ++ } ++ + // add/update user in Grafana + cmd := &models.UpsertUserCommand{ +- ReqContext: ctx, +- ExternalUser: extUser, +- SignupAllowed: connect.IsSignupAllowed(), +- UserLookupParams: models.UserLookupParams{ +- Email: &extUser.Email, +- UserID: nil, +- Login: nil, +- }, ++ ReqContext: ctx, ++ ExternalUser: extUser, ++ SignupAllowed: connect.IsSignupAllowed(), ++ UserLookupParams: lookupParams, + } + + if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil { +diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go +index 20e8f78a2f..03aa5c17d8 100644 +--- a/pkg/setting/setting.go ++++ b/pkg/setting/setting.go +@@ -318,7 +318,8 @@ + AuthProxySyncTTL int + + // OAuth +- OAuthCookieMaxAge int ++ OAuthCookieMaxAge int ++ OAuthAllowInsecureEmailLookup bool + + // JWT Auth + JWTAuthEnabled bool +@@ -1256,6 +1256,8 @@ + return err + } + ++ cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false) ++ + const defaultMaxLifetime = "30d" + maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime) + cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal) diff --git a/grafana.spec b/grafana.spec index 9d5618e..0493f82 100644 --- a/grafana.spec +++ b/grafana.spec @@ -23,7 +23,7 @@ end} Name: grafana Version: 9.2.10 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Metrics dashboard and graph editor License: AGPL-3.0-only URL: https://grafana.org @@ -69,6 +69,7 @@ Patch7: 0007-fix-alert-test.patch Patch8: 0008-graphite-functions-xss.patch Patch9: 0009-redact-weak-ciphers.patch Patch10: 0010-skip-tests.patch +Patch11: 0011-remove-email-lookup.patch # Patches affecting the vendor tarball Patch1001: 1001-vendor-patch-removed-backend-crypto.patch @@ -728,7 +729,7 @@ rm -r plugins-bundled %patch -P 8 -p1 %patch -P 9 -p1 %patch -P 10 -p1 - +%patch -P 11 -p1 %patch -P 1001 -p1 %if %{enable_fips_mode} @@ -920,6 +921,9 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio %changelog +* Thu Jul 20 2023 Stan Cox 9.2.10-5 +- resolve CVE-2023-3128 grafana: account takeover possible when using Azure AD OAuth + * Thu Jun 8 2023 Stan Cox 9.2.10-3 - bumps exporter-toolkit to v0.7.3, sanitize-url@npm to 6.0.2, skip problematic s390 tests, License AGPL-3.0-only.