import OL grafana-9.2.10-17.el9_4

2024-09-24 05:28:31 +00:00 · 2024-09-24 05:28:31 +00:00 · c7e4d236df
commit c7e4d236df
parent dd9dfb6010
7 changed files with 34 additions and 3 deletions
--- a/SOURCES/0013-snapshot-delete-check-org.patch
+++ b/SOURCES/0013-snapshot-delete-check-org.patch
@ -0,0 +1,21 @@
+From 9c1236ba6e7d4c6506c62adeb830d9e56db7f425 Mon Sep 17 00:00:00 2001
+From: Sam Feifer <sfeifer@redhat.com>
+Date: Thu, 28 Mar 2024 13:24:35 -0400
+Subject: [PATCH] snapshot delete check org
+
+
+diff --git a/pkg/api/dashboard_snapshot.go b/pkg/api/dashboard_snapshot.go
+index 47ae50544a..0007e89ccb 100644
+--- a/pkg/api/dashboard_snapshot.go
+++ b/pkg/api/dashboard_snapshot.go
+@@ -328,6 +328,10 @@ func (hs *HTTPServer) DeleteDashboardSnapshot(c *models.ReqContext) response.Res
+ 		return response.Error(http.StatusNotFound, "Failed to get dashboard snapshot", nil)
+ 	}
+ 
+	if query.Result.OrgId != c.OrgID {
+		return response.Error(http.StatusUnauthorized, "OrgID mismatch", nil)
+	}
+
+ 	if query.Result.External {
+ 		err := deleteExternalDashboardSnapshot(query.Result.ExternalDeleteUrl)
+ 		if err != nil {
--- a/SOURCES/1002-vendor-use-pbkdf2-from-OpenSSL.patch
+++ b/SOURCES/1002-vendor-use-pbkdf2-from-OpenSSL.patch
@ -2,7 +2,7 @@ use pbkdf2 from OpenSSL if FIPS mode is enabled

 This patch modifies the x/crypto/pbkdf2 function to use OpenSSL
 if FIPS mode is enabled.
-DEFINEFUNC is from /usr/lib/golang/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
+DEFINEFUNC is from /usr/lib/golang/src/vendor/github.com/golang-fips/openssl/openssl/goopenssl.h

 diff --git a/vendor/golang.org/x/crypto/internal/boring/boring.go b/vendor/golang.org/x/crypto/internal/boring/boring.go
 new file mode 100644
@ -112,7 +112,7 @@ index 0000000000..6dfdf10424
 --- /dev/null
 +++ b/vendor/golang.org/x/crypto/internal/boring/openssl_pbkdf2.h
@@ -0,0 +1,5 @@
-+#include "/usr/lib/golang/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h"
+#include "/usr/lib/golang/src/vendor/github.com/golang-fips/openssl/openssl/goopenssl.h"
 +
 +DEFINEFUNC(int, PKCS5_PBKDF2_HMAC,
 +    (const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, EVP_MD *digest, int keylen, unsigned char *out),
--- a/SOURCES/build_frontend.sh
+++ b/SOURCES/build_frontend.sh
--- a/SOURCES/create_bundles.sh
+++ b/SOURCES/create_bundles.sh
--- a/SOURCES/create_bundles_in_container.sh
+++ b/SOURCES/create_bundles_in_container.sh
--- a/SOURCES/list_bundled_nodejs_packages.py
+++ b/SOURCES/list_bundled_nodejs_packages.py
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@ -25,7 +25,7 @@ end}

 Name:             grafana
 Version:          9.2.10
-Release:          15%{?dist}
+Release:          17%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@ -78,6 +78,7 @@ Patch9:           0009-redact-weak-ciphers.patch
 Patch10:          0010-skip-tests.patch
 Patch11:          0011-remove-email-lookup.patch
 Patch12:          0012-coredump-selinux-error.patch
+Patch13:          0013-snapshot-delete-check-org.patch

 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@ -765,6 +766,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 10 -p1
 %patch -P 11 -p1
 %patch -P 12 -p1
+%patch -P 13 -p1

 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@ -1008,6 +1010,14 @@ fi
 %{_datadir}/selinux/*/grafana.pp

 %changelog
+* Tue Sep 17 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-17
+- Resolves RHEL-57925: CVE-2024-34156
+
+* Tue Apr 16 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-16
+- Check OrdID is correct before deleting snapshot
+- fix CVE-2024-1313
+- fix CVE-2024-1394
+
 * Wed Jan 31 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-15
 - Resolves RHEL-23468
 - Allows for gid to be 0