From 68e62fc98adf75931ab492ad524359a2db13fcbb Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 20 Jul 2023 11:43:54 +0300 Subject: [PATCH] import grafana-9.0.9-3.el9_2 --- SOURCES/0011-remove-email-lookup.patch | 61 ++++++++++++++++++++++++++ SOURCES/0012-fix-alert-test.patch | 19 ++++++++ SPECS/grafana.spec | 37 +++++++++------- 3 files changed, 102 insertions(+), 15 deletions(-) create mode 100644 SOURCES/0011-remove-email-lookup.patch create mode 100644 SOURCES/0012-fix-alert-test.patch diff --git a/SOURCES/0011-remove-email-lookup.patch b/SOURCES/0011-remove-email-lookup.patch new file mode 100644 index 0000000..8aa42c4 --- /dev/null +++ b/SOURCES/0011-remove-email-lookup.patch @@ -0,0 +1,61 @@ +commit bae86dbeb0 +Author: Ieva +Date: Tue Jun 6 17:45:31 2023 +0100 + + Auth: Remove Email Lookup from oauth integrations 9.2 (#898) + + backport https://github.com/grafana/grafana-private-mirror/pull/894 to 9.3.x + +diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go +index 22014aee43..af00c56a68 100644 +--- a/pkg/api/login_oauth.go ++++ b/pkg/api/login_oauth.go +@@ -299,16 +299,17 @@ + connect social.SocialConnector, + ) (*models.User, error) { + oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile") ++ lookupParams := models.UserLookupParams{} ++ if hs.Cfg.OAuthAllowInsecureEmailLookup { ++ lookupParams.Email = &extUser.Email ++ } ++ + // add/update user in Grafana + cmd := &models.UpsertUserCommand{ +- ReqContext: ctx, +- ExternalUser: extUser, +- SignupAllowed: connect.IsSignupAllowed(), +- UserLookupParams: models.UserLookupParams{ +- Email: &extUser.Email, +- UserID: nil, +- Login: nil, +- }, ++ ReqContext: ctx, ++ ExternalUser: extUser, ++ SignupAllowed: connect.IsSignupAllowed(), ++ UserLookupParams: lookupParams, + } + + if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil { +diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go +index 20e8f78a2f..03aa5c17d8 100644 +--- a/pkg/setting/setting.go ++++ b/pkg/setting/setting.go +@@ -312,7 +312,8 @@ + AuthProxySyncTTL int + + // OAuth +- OAuthCookieMaxAge int ++ OAuthCookieMaxAge int ++ OAuthAllowInsecureEmailLookup bool + + // JWT Auth + JWTAuthEnabled bool +@@ -1256,6 +1256,8 @@ + return err + } + ++ cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false) ++ + const defaultMaxLifetime = "30d" + maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime) + cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal) diff --git a/SOURCES/0012-fix-alert-test.patch b/SOURCES/0012-fix-alert-test.patch new file mode 100644 index 0000000..71039d1 --- /dev/null +++ b/SOURCES/0012-fix-alert-test.patch @@ -0,0 +1,19 @@ +From 3236aa416f6d1b109bff1fdd4127292988fb199c Mon Sep 17 00:00:00 2001 +From: Stan Cox +Date: Wed, 22 Jun 2022 17:05:48 +0200 +Subject: [PATCH] fix alert test + + +diff --git a/pkg/tests/api/alerting/api_alertmanager_test.go b/pkg/tests/api/alerting/api_alertmanager_test.go +index 2d6e1235b6..f0eff6d2ac 100644 +--- a/pkg/tests/api/alerting/api_alertmanager_test.go 2023-01-24 14:44:19.000000000 -0500 ++++ b/pkg/tests/api/alerting/api_alertmanager_test.go 2023-04-13 16:20:51.718515009 -0400 +@@ -210,7 +210,7 @@ + { + "comment": "string", + "createdBy": "string", +- "endsAt": "2023-03-31T14:17:04.419Z", ++ "endsAt": "2032-03-31T14:17:04.419Z", + "matchers": [ + { + "isRegex": true, diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec index 4ebe726..52a4cc4 100644 --- a/SPECS/grafana.spec +++ b/SPECS/grafana.spec @@ -23,7 +23,7 @@ end} Name: grafana Version: 9.0.9 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Metrics dashboard and graph editor License: AGPLv3 URL: https://grafana.org @@ -71,6 +71,8 @@ Patch7: 0007-skip-marketplace-plugin-install-test.patch Patch8: 0008-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch Patch9: 0009-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch Patch10: 0010-v9.0.x-Login-email-before-username-57406.patch +Patch11: 0011-remove-email-lookup.patch +Patch12: 0012-fix-alert-test.patch # Patches affecting the vendor tarball Patch1001: 1001-vendor-patch-removed-backend-crypto.patch @@ -696,25 +698,27 @@ rm -r plugins-bundled %setup -q -T -D -b 2 %endif -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 +%patch -P 1 -p1 +%patch -P 2 -p1 +%patch -P 3 -p1 +%patch -P 4 -p1 +%patch -P 5 -p1 %if 0%{?fedora} || 0%{?rhel} > 8 -%patch6 -p1 +%patch -P 6 -p1 %endif -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 - -%patch1001 -p1 +%patch -P 7 -p1 +%patch -P 8 -p1 +%patch -P 9 -p1 +%patch -P 10 -p1 +%patch -P 11 -p1 +%patch -P 12 -p1 + +%patch -P 1001 -p1 %if %{enable_fips_mode} -%patch1002 -p1 +%patch -P 1002 -p1 %endif %ifarch s390x i686 armv7hl -%patch1003 -p1 +%patch -P 1003 -p1 %endif @@ -899,6 +903,9 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio %changelog +* Wed Jun 28 2023 Stan Cox 9.0.9-3 +- resolve CVE-2023-3128 grafana: Remove Email Lookup from oauth integrations + * Tue Nov 01 2022 Stan Cox 9.0.9-2 - resolve CVE-2022-39229 grafana: Using email as a username can prevent other users from signing in - resolve CVE-2022-2880 CVE-2022-41715 grafana: various flaws