import OL grafana-10.2.6-13.el9_6

2025-05-23 12:05:14 +00:00 · 2025-05-23 12:05:14 +00:00 · ffd25b8cdf
commit ffd25b8cdf
parent e1d40d7d2d
7 changed files with 42 additions and 2 deletions
--- a/SOURCES/0013-fix-CVE-2025-4123.patch
+++ b/SOURCES/0013-fix-CVE-2025-4123.patch
@ -0,0 +1,32 @@
+From 2d4314b5ca1e527a3420fad11d3f1a25351700d4 Mon Sep 17 00:00:00 2001
+From: Sam Feifer <sfeifer@redhat.com>
+Date: Wed, 7 May 2025 16:27:08 -0400
+Subject: [PATCH] fix CVE-2025-4123
+
+
+diff --git a/conf/defaults.ini b/conf/defaults.ini
+index e1e5468bfa3..4221144bf54 100644
+--- a/conf/defaults.ini
+++ b/conf/defaults.ini
+@@ -363,7 +363,7 @@ x_xss_protection = true
+ 
+ # Enable adding the Content-Security-Policy header to your requests.
+ # CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
+-content_security_policy = false
+content_security_policy = true
+ 
+ # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
+ # $NONCE in the template includes a random nonce.
+diff --git a/conf/sample.ini b/conf/sample.ini
+index 51d2b6c512b..fd588b48225 100644
+--- a/conf/sample.ini
+++ b/conf/sample.ini
+@@ -364,7 +364,7 @@
+ 
+ # Enable adding the Content-Security-Policy header to your requests.
+ # CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
+-;content_security_policy = false
+;content_security_policy = true
+ 
+ # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
+ # $NONCE in the template includes a random nonce.
--- a/SOURCES/build_frontend.sh
+++ b/SOURCES/build_frontend.sh
--- a/SOURCES/create_bundles.sh
+++ b/SOURCES/create_bundles.sh
--- a/SOURCES/create_bundles_in_container.sh
+++ b/SOURCES/create_bundles_in_container.sh
--- a/SOURCES/grafana.sysusers
+++ b/SOURCES/grafana.sysusers
@ -1,2 +1,2 @@
 #Type Name    ID GECOS                  Home directory
-u     grafana -  "Grafana user account" /usr/share/grafana
+u     grafana -  "Grafana user account" /var/lib/grafana
--- a/SOURCES/list_bundled_nodejs_packages.py
+++ b/SOURCES/list_bundled_nodejs_packages.py
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@ -25,7 +25,7 @@ end}

 Name:             grafana
 Version:          10.2.6
-Release:          11%{?dist}
+Release:          13%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@ -79,6 +79,7 @@ Patch9:           0009-update-wrappers-and-systemd-with-distro-paths.patch
 Patch10:          0010-remove-bcrypt-references.patch
 Patch11:          0011-fix-dompurify-CVE.patch
 Patch12:          0012-fix-jwt-CVE.patch
+Patch13:          0013-fix-CVE-2025-4123.patch

 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@ -781,6 +782,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 10 -p1
 %patch -P 11 -p1
 %patch -P 12 -p1
+%patch -P 13 -p1

 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@ -1030,6 +1032,12 @@ fi
 %{_datadir}/selinux/*/grafana.pp

 %changelog
+* Tue May 13 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-13
+- Resolves RHEL-89954: CVE-2025-4123
+
+* Tue Apr 29 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-12
+- Resolves RHEL-88922: Move home directory of grafana to /var/lib/grafana
+
 * Tue Mar 25 2025 Sam Feifer <sfeifer@redhat.com> 10.2.6-11
 - Resolves RHEL-84636: CVE-2025-30204