diff --git a/SOURCES/0013-fix-CVE-2025-4123.patch b/SOURCES/0013-fix-CVE-2025-4123.patch new file mode 100644 index 0000000..5204e37 --- /dev/null +++ b/SOURCES/0013-fix-CVE-2025-4123.patch @@ -0,0 +1,32 @@ +From 2d4314b5ca1e527a3420fad11d3f1a25351700d4 Mon Sep 17 00:00:00 2001 +From: Sam Feifer +Date: Wed, 7 May 2025 16:27:08 -0400 +Subject: [PATCH] fix CVE-2025-4123 + + +diff --git a/conf/defaults.ini b/conf/defaults.ini +index e1e5468bfa3..4221144bf54 100644 +--- a/conf/defaults.ini ++++ b/conf/defaults.ini +@@ -363,7 +363,7 @@ x_xss_protection = true + + # Enable adding the Content-Security-Policy header to your requests. + # CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks. +-content_security_policy = false ++content_security_policy = true + + # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests. + # $NONCE in the template includes a random nonce. +diff --git a/conf/sample.ini b/conf/sample.ini +index 51d2b6c512b..fd588b48225 100644 +--- a/conf/sample.ini ++++ b/conf/sample.ini +@@ -364,7 +364,7 @@ + + # Enable adding the Content-Security-Policy header to your requests. + # CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks. +-;content_security_policy = false ++;content_security_policy = true + + # Set Content Security Policy template used when adding the Content-Security-Policy header to your requests. + # $NONCE in the template includes a random nonce. diff --git a/SOURCES/build_frontend.sh b/SOURCES/build_frontend.sh old mode 100755 new mode 100644 diff --git a/SOURCES/create_bundles.sh b/SOURCES/create_bundles.sh old mode 100755 new mode 100644 diff --git a/SOURCES/create_bundles_in_container.sh b/SOURCES/create_bundles_in_container.sh old mode 100755 new mode 100644 diff --git a/SOURCES/grafana.sysusers b/SOURCES/grafana.sysusers index 7c4a4d5..8948dff 100644 --- a/SOURCES/grafana.sysusers +++ b/SOURCES/grafana.sysusers @@ -1,2 +1,2 @@ #Type Name ID GECOS Home directory -u grafana - "Grafana user account" /usr/share/grafana +u grafana - "Grafana user account" /var/lib/grafana diff --git a/SOURCES/list_bundled_nodejs_packages.py b/SOURCES/list_bundled_nodejs_packages.py old mode 100755 new mode 100644 diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec index f6c4115..d24ca3d 100644 --- a/SPECS/grafana.spec +++ b/SPECS/grafana.spec @@ -25,7 +25,7 @@ end} Name: grafana Version: 10.2.6 -Release: 11%{?dist} +Release: 13%{?dist} Summary: Metrics dashboard and graph editor License: AGPL-3.0-only URL: https://grafana.org @@ -79,6 +79,7 @@ Patch9: 0009-update-wrappers-and-systemd-with-distro-paths.patch Patch10: 0010-remove-bcrypt-references.patch Patch11: 0011-fix-dompurify-CVE.patch Patch12: 0012-fix-jwt-CVE.patch +Patch13: 0013-fix-CVE-2025-4123.patch # Patches affecting the vendor tarball Patch1001: 1001-vendor-patch-removed-backend-crypto.patch @@ -781,6 +782,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux %patch -P 10 -p1 %patch -P 11 -p1 %patch -P 12 -p1 +%patch -P 13 -p1 %patch -P 1001 -p1 %if %{enable_fips_mode} @@ -1030,6 +1032,12 @@ fi %{_datadir}/selinux/*/grafana.pp %changelog +* Tue May 13 2025 Sam Feifer 10.2.6-13 +- Resolves RHEL-89954: CVE-2025-4123 + +* Tue Apr 29 2025 Sam Feifer 10.2.6-12 +- Resolves RHEL-88922: Move home directory of grafana to /var/lib/grafana + * Tue Mar 25 2025 Sam Feifer 10.2.6-11 - Resolves RHEL-84636: CVE-2025-30204