diff --git a/.gitignore b/.gitignore index 9c9ebef..429c991 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/grafana-9.2.10.tar.gz -SOURCES/grafana-vendor-9.2.10-2.tar.xz -SOURCES/grafana-webpack-9.2.10-2.tar.gz +SOURCES/grafana-vendor-9.2.10-20.tar.xz +SOURCES/grafana-webpack-9.2.10-20.tar.gz diff --git a/.grafana.metadata b/.grafana.metadata index 9f15ac9..a3bc3d0 100644 --- a/.grafana.metadata +++ b/.grafana.metadata @@ -1,3 +1,3 @@ 4c9db312dca444023c37c7af9acd2876a7e164b8 SOURCES/grafana-9.2.10.tar.gz -1ab1cbb1efa563dff66783e9c59c8bd43503aef2 SOURCES/grafana-vendor-9.2.10-2.tar.xz -ac93650649c6f3c1f6bc2884c524939afaa8321b SOURCES/grafana-webpack-9.2.10-2.tar.gz +866e038c745dc28b5fa621ed4bce90e005d76ea2 SOURCES/grafana-vendor-9.2.10-20.tar.xz +ae5e714190ca155d6a6e9d38dab99d5aa0e988e1 SOURCES/grafana-webpack-9.2.10-20.tar.gz diff --git a/SOURCES/0014-resolve-dompurify-CVE.patch b/SOURCES/0014-resolve-dompurify-CVE.patch new file mode 100644 index 0000000..450c9fd --- /dev/null +++ b/SOURCES/0014-resolve-dompurify-CVE.patch @@ -0,0 +1,58 @@ +diff --git a/package.json b/package.json +index e26f95d855a..14b3826a64d 100644 +--- a/package.json ++++ b/package.json +@@ -316,7 +316,7 @@ + "dangerously-set-html-content": "1.0.9", + "date-fns": "2.29.1", + "debounce-promise": "3.1.2", +- "dompurify": "^2.4.1", ++ "dompurify": "^2.5.0", + "emotion": "11.0.0", + "eventemitter3": "4.0.7", + "fast-deep-equal": "^3.1.3", +@@ -422,7 +422,8 @@ + "@storybook/react/webpack": "5.74.0", + "ngtemplate-loader/loader-utils": "^2.0.0", + "node-fetch": "2.6.7", +- "slate-dev-environment@^0.2.2": "patch:slate-dev-environment@npm:0.2.5#.yarn/patches/slate-dev-environment-npm-0.2.5-9aeb7da7b5.patch" ++ "slate-dev-environment@^0.2.2": "patch:slate-dev-environment@npm:0.2.5#.yarn/patches/slate-dev-environment-npm-0.2.5-9aeb7da7b5.patch", ++ "dompurify": "^2.5.0" + }, + "workspaces": { + "packages": [ +diff --git a/yarn.lock b/yarn.lock +index f374e10e333..834cfee2642 100644 +--- a/yarn.lock ++++ b/yarn.lock +@@ -18739,17 +18739,10 @@ __metadata: + languageName: node + linkType: hard + +-"dompurify@npm:^2.2.0": +- version: 2.3.8 +- resolution: "dompurify@npm:2.3.8" +- checksum: dc7b32ee57a03fe5166a850071200897cc13fa069287a709e3b2138052d73ec09a87026b9e28c8d2f254a74eaa52ef30644e98e54294c30acbca2a53f1bbc5f4 +- languageName: node +- linkType: hard +- +-"dompurify@npm:^2.4.1": +- version: 2.4.1 +- resolution: "dompurify@npm:2.4.1" +- checksum: 1169177465b3cbb25a44322937fba549f6c4e1a91b83245d144471be26619c835cccf0f8e20aa78c25ac11a06efd17cc1b9db9cacadceb78a4c08a1029eafee5 ++"dompurify@npm:^2.5.0": ++ version: 2.5.7 ++ resolution: "dompurify@npm:2.5.7" ++ checksum: 9652139743130b5ebaf5278fadec06d9b3920019b80c205565b9b8d52cd0cea90ff690c1994c5c0da5bc9d57a94dc19236cdf1ccabdc1c6cff7c255e1e597031 + languageName: node + linkType: hard + +@@ -21953,7 +21946,7 @@ __metadata: + dangerously-set-html-content: 1.0.9 + date-fns: 2.29.1 + debounce-promise: 3.1.2 +- dompurify: ^2.4.1 ++ dompurify: ^2.5.0 + emotion: 11.0.0 + enzyme: 3.11.0 + enzyme-to-json: 3.6.2 diff --git a/SOURCES/create_bundles.sh b/SOURCES/create_bundles.sh index 647ad5c..94171aa 100755 --- a/SOURCES/create_bundles.sh +++ b/SOURCES/create_bundles.sh @@ -40,6 +40,7 @@ awk '$2 ~ /^v/ && $4 != "indirect" {print "Provides: bundled(golang(" $1 ")) = " # Vendor Node.js dependencies patch -p1 --fuzz=0 < ../0005-remove-unused-frontend-crypto.patch +patch -p1 --fuzz=0 < ../0014-resolve-dompurify-CVE.patch export HUSKY=0 yarn install --frozen-lockfile diff --git a/SOURCES/create_bundles_in_container.sh b/SOURCES/create_bundles_in_container.sh index bbed4ca..4640068 100755 --- a/SOURCES/create_bundles_in_container.sh +++ b/SOURCES/create_bundles_in_container.sh @@ -6,7 +6,7 @@ # cat < 9.2.10-20 +- Resolves RHEL-62307: CVE-2024-47875 + +* Thu Oct 10 2024 Sam Feifer 9.2.10-19 +- Resolves RHEL-61779: CVE-2024-9355 + * Mon Jul 22 2024 Lauren Chilton 9.2.10-18 - Resolves RHEL-47191