diff --git a/0010-remove-email-lookup.patch b/0010-remove-email-lookup.patch new file mode 100644 index 0000000..8bbd1c6 --- /dev/null +++ b/0010-remove-email-lookup.patch @@ -0,0 +1,64 @@ +From bae86dbeb0ad68a205454e98e76985dc393183d4 Mon Sep 17 00:00:00 2001 +From: Ieva +Date: Tue, 6 Jun 2023 17:45:31 +0100 +Subject: [PATCH] Auth: Remove Email Lookup from oauth integrations 9.2 (#898) + +backport https://github.com/grafana/grafana-private-mirror/pull/894 to 9.3.x +--- + pkg/api/login_oauth.go | 17 +++++++++-------- + pkg/setting/setting.go | 5 ++++- + 2 files changed, 13 insertions(+), 9 deletions(-) + +diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go +index 22014aee433c2..af00c56a68ccd 100644 +--- a/pkg/api/login_oauth.go ++++ b/pkg/api/login_oauth.go +@@ -302,16 +302,17 @@ func (hs *HTTPServer) SyncUser( + connect social.SocialConnector, + ) (*user.User, error) { + oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile") ++ lookupParams := models.UserLookupParams{} ++ if hs.Cfg.OAuthAllowInsecureEmailLookup { ++ lookupParams.Email = &extUser.Email ++ } ++ + // add/update user in Grafana + cmd := &models.UpsertUserCommand{ +- ReqContext: ctx, +- ExternalUser: extUser, +- SignupAllowed: connect.IsSignupAllowed(), +- UserLookupParams: models.UserLookupParams{ +- Email: &extUser.Email, +- UserID: nil, +- Login: nil, +- }, ++ ReqContext: ctx, ++ ExternalUser: extUser, ++ SignupAllowed: connect.IsSignupAllowed(), ++ UserLookupParams: lookupParams, + } + + if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil { +diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go +index 20e8f78a2f55c..03aa5c17d8682 100644 +--- a/pkg/setting/setting.go ++++ b/pkg/setting/setting.go +@@ -318,7 +318,8 @@ type Cfg struct { + AuthProxySyncTTL int + + // OAuth +- OAuthCookieMaxAge int ++ OAuthCookieMaxAge int ++ OAuthAllowInsecureEmailLookup bool + + // JWT Auth + JWTAuthEnabled bool +@@ -1305,6 +1306,8 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) { + return err + } + ++ cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false) ++ + const defaultMaxLifetime = "30d" + maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime) + cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal) diff --git a/grafana.spec b/grafana.spec index 4c3e1f7..6f194e4 100644 --- a/grafana.spec +++ b/grafana.spec @@ -23,7 +23,7 @@ end} Name: grafana Version: 9.2.10 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Metrics dashboard and graph editor License: AGPLv3 URL: https://grafana.org @@ -68,6 +68,8 @@ Patch6: 0006-skip-marketplace-plugin-install-test.patch Patch7: 0007-fix-alert-test.patch Patch8: 0008-graphite-functions-xss.patch Patch9: 0009-redact-weak-ciphers.patch +# https://github.com/grafana/grafana/commit/bae86dbeb0ad68a205454e98e76985dc393183d4 +Patch10: 0010-remove-email-lookup.patch # Patches affecting the vendor tarball Patch1001: 1001-vendor-patch-removed-backend-crypto.patch @@ -724,6 +726,7 @@ rm -r plugins-bundled %patch -P 7 -p1 %patch -P 8 -p1 %patch -P 9 -p1 +%patch -P 10 -p1 %patch -P 1001 -p1 %if %{enable_fips_mode} @@ -914,6 +917,9 @@ export GOEXPERIMENT=boringcrypto %changelog +* Sat Jul 22 2023 Carl George - 9.2.10-4 +- resolve CVE-2023-3128 grafana: Remove Email Lookup from oauth integrations + * Thu Jul 20 2023 Fedora Release Engineering - 9.2.10-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild