diff --git a/SOURCES/0013-snapshot-delete-check-org.patch b/SOURCES/0013-snapshot-delete-check-org.patch new file mode 100644 index 0000000..4211884 --- /dev/null +++ b/SOURCES/0013-snapshot-delete-check-org.patch @@ -0,0 +1,21 @@ +From 9c1236ba6e7d4c6506c62adeb830d9e56db7f425 Mon Sep 17 00:00:00 2001 +From: Sam Feifer +Date: Thu, 28 Mar 2024 13:24:35 -0400 +Subject: [PATCH] snapshot delete check org + + +diff --git a/pkg/api/dashboard_snapshot.go b/pkg/api/dashboard_snapshot.go +index 47ae50544a..0007e89ccb 100644 +--- a/pkg/api/dashboard_snapshot.go ++++ b/pkg/api/dashboard_snapshot.go +@@ -328,6 +328,10 @@ func (hs *HTTPServer) DeleteDashboardSnapshot(c *models.ReqContext) response.Res + return response.Error(http.StatusNotFound, "Failed to get dashboard snapshot", nil) + } + ++ if query.Result.OrgId != c.OrgID { ++ return response.Error(http.StatusUnauthorized, "OrgID mismatch", nil) ++ } ++ + if query.Result.External { + err := deleteExternalDashboardSnapshot(query.Result.ExternalDeleteUrl) + if err != nil { diff --git a/SOURCES/1002-vendor-use-pbkdf2-from-OpenSSL.patch b/SOURCES/1002-vendor-use-pbkdf2-from-OpenSSL.patch index 48a4536..aa4b421 100644 --- a/SOURCES/1002-vendor-use-pbkdf2-from-OpenSSL.patch +++ b/SOURCES/1002-vendor-use-pbkdf2-from-OpenSSL.patch @@ -2,7 +2,7 @@ use pbkdf2 from OpenSSL if FIPS mode is enabled This patch modifies the x/crypto/pbkdf2 function to use OpenSSL if FIPS mode is enabled. -DEFINEFUNC is from /usr/lib/golang/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h +DEFINEFUNC is from /usr/lib/golang/src/vendor/github.com/golang-fips/openssl/openssl/goopenssl.h diff --git a/vendor/golang.org/x/crypto/internal/boring/boring.go b/vendor/golang.org/x/crypto/internal/boring/boring.go new file mode 100644 @@ -112,7 +112,7 @@ index 0000000000..6dfdf10424 --- /dev/null +++ b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h @@ -0,0 +1,5 @@ -+#include "/usr/lib/golang/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h" ++#include "/usr/lib/golang/src/vendor/github.com/golang-fips/openssl/openssl/goopenssl.h" + +DEFINEFUNC(int, PKCS5_PBKDF2_HMAC, + (const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, EVP_MD *digest, int keylen, unsigned char *out), diff --git a/SOURCES/build_frontend.sh b/SOURCES/build_frontend.sh old mode 100755 new mode 100644 diff --git a/SOURCES/create_bundles.sh b/SOURCES/create_bundles.sh old mode 100755 new mode 100644 diff --git a/SOURCES/create_bundles_in_container.sh b/SOURCES/create_bundles_in_container.sh old mode 100755 new mode 100644 diff --git a/SOURCES/list_bundled_nodejs_packages.py b/SOURCES/list_bundled_nodejs_packages.py old mode 100755 new mode 100644 diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec index 7ff55af..90842d2 100644 --- a/SPECS/grafana.spec +++ b/SPECS/grafana.spec @@ -25,7 +25,7 @@ end} Name: grafana Version: 9.2.10 -Release: 15%{?dist} +Release: 17%{?dist} Summary: Metrics dashboard and graph editor License: AGPL-3.0-only URL: https://grafana.org @@ -78,6 +78,7 @@ Patch9: 0009-redact-weak-ciphers.patch Patch10: 0010-skip-tests.patch Patch11: 0011-remove-email-lookup.patch Patch12: 0012-coredump-selinux-error.patch +Patch13: 0013-snapshot-delete-check-org.patch # Patches affecting the vendor tarball Patch1001: 1001-vendor-patch-removed-backend-crypto.patch @@ -765,6 +766,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux %patch -P 10 -p1 %patch -P 11 -p1 %patch -P 12 -p1 +%patch -P 13 -p1 %patch -P 1001 -p1 %if %{enable_fips_mode} @@ -1008,6 +1010,14 @@ fi %{_datadir}/selinux/*/grafana.pp %changelog +* Tue Sep 17 2024 Sam Feifer 9.2.10-17 +- Resolves RHEL-57925: CVE-2024-34156 + +* Tue Apr 16 2024 Sam Feifer 9.2.10-16 +- Check OrdID is correct before deleting snapshot +- fix CVE-2024-1313 +- fix CVE-2024-1394 + * Wed Jan 31 2024 Sam Feifer 9.2.10-15 - Resolves RHEL-23468 - Allows for gid to be 0