diff --git a/.gitignore b/.gitignore index a6dbaab..cf6336a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/grafana-10.2.6.tar.gz -SOURCES/grafana-vendor-10.2.6-2.tar.xz -SOURCES/grafana-webpack-10.2.6-2.tar.gz +SOURCES/grafana-vendor-10.2.6-8.tar.xz +SOURCES/grafana-webpack-10.2.6-8.tar.gz diff --git a/.grafana.metadata b/.grafana.metadata index 518f49a..adbcede 100644 --- a/.grafana.metadata +++ b/.grafana.metadata @@ -1,3 +1,3 @@ 5c65a9460e0d0ecff29e397b5889b4167f046142 SOURCES/grafana-10.2.6.tar.gz -1dbd3823c3004d7127fab43b82a0ca9e988922dc SOURCES/grafana-vendor-10.2.6-2.tar.xz -7229d7721cd93d95fde2a306ae775876053a05b0 SOURCES/grafana-webpack-10.2.6-2.tar.gz +70d5da67ed04fdcf458baf40e35aa35933879fe5 SOURCES/grafana-vendor-10.2.6-8.tar.xz +928f19ae2f710ed11ec8dcbeab224dd40513fa36 SOURCES/grafana-webpack-10.2.6-8.tar.gz diff --git a/SOURCES/0011-fix-dompurify-CVE.patch b/SOURCES/0011-fix-dompurify-CVE.patch new file mode 100644 index 0000000..9be0fdf --- /dev/null +++ b/SOURCES/0011-fix-dompurify-CVE.patch @@ -0,0 +1,55 @@ +diff --git a/package.json b/package.json +index 38deb6d7dee..010a24fb451 100644 +--- a/package.json ++++ b/package.json +@@ -432,7 +432,8 @@ + "react-split-pane@0.1.92": "patch:react-split-pane@npm:0.1.92#.yarn/patches/react-split-pane-npm-0.1.92-93dbf51dff.patch", + "@storybook/blocks@7.4.5": "patch:@storybook/blocks@npm%3A7.4.5#./.yarn/patches/@storybook-blocks-npm-7.4.5-5a2374564a.patch", + "history@4.10.1": "patch:history@npm%3A4.10.1#./.yarn/patches/history-npm-4.10.1-ee217563ae.patch", +- "history@^4.9.0": "patch:history@npm%3A4.10.1#./.yarn/patches/history-npm-4.10.1-ee217563ae.patch" ++ "history@^4.9.0": "patch:history@npm%3A4.10.1#./.yarn/patches/history-npm-4.10.1-ee217563ae.patch", ++ "dompurify": "^2.5.0" + }, + "workspaces": { + "packages": [ +diff --git a/packages/grafana-data/package.json b/packages/grafana-data/package.json +index 2182744e61b..4201ef58dda 100644 +--- a/packages/grafana-data/package.json ++++ b/packages/grafana-data/package.json +@@ -41,7 +41,7 @@ + "@types/string-hash": "1.1.1", + "d3-interpolate": "3.0.1", + "date-fns": "2.30.0", +- "dompurify": "^2.4.3", ++ "dompurify": "^2.5.0", + "eventemitter3": "5.0.1", + "fast_array_intersect": "1.1.0", + "history": "4.10.1", +diff --git a/yarn.lock b/yarn.lock +index bf22ba52a17..88fc4d3fbfb 100644 +--- a/yarn.lock ++++ b/yarn.lock +@@ -2953,7 +2953,7 @@ __metadata: + "@types/tinycolor2": "npm:1.4.3" + d3-interpolate: "npm:3.0.1" + date-fns: "npm:2.30.0" +- dompurify: "npm:^2.4.3" ++ dompurify: "npm:^2.5.0" + esbuild: "npm:0.18.12" + eventemitter3: "npm:5.0.1" + fast_array_intersect: "npm:1.1.0" +@@ -14478,10 +14478,10 @@ __metadata: + languageName: node + linkType: hard + +-"dompurify@npm:^2.2.0, dompurify@npm:^2.4.3": +- version: 2.4.5 +- resolution: "dompurify@npm:2.4.5" +- checksum: d764c2ff126b3749dad35bc34eed40f51141d7dfd620e938c92f08d68c32beeb259d06abadeee91f6e2a8c8737ce670e2124ac9a257ba3bcdc666598cebcde01 ++"dompurify@npm:^2.5.0": ++ version: 2.5.7 ++ resolution: "dompurify@npm:2.5.7" ++ checksum: b150ca1e28083252cd51097162dc96cb45203f7e2af1fbaa8ef32b4f4d6b605e4aa8915190d38bd0635cbbf14d13a200138cd3ec1b084096819b14c718355122 + languageName: node + linkType: hard + diff --git a/SOURCES/create_bundles.sh b/SOURCES/create_bundles.sh index feb9994..d3c97c1 100755 --- a/SOURCES/create_bundles.sh +++ b/SOURCES/create_bundles.sh @@ -59,6 +59,7 @@ awk '$2 ~ /^v/ && $4 != "indirect" {print "Provides: bundled(golang(" $1 ")) = " # Vendor Node.js dependencies patch -p1 --fuzz=0 < ../0005-remove-unused-frontend-crypto.patch +patch -p1 --fuzz=0 < ../0011-fix-dompurify-CVE.patch export HUSKY=0 yarn install --frozen-lockfile diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec index 42290d9..6bff02e 100644 --- a/SPECS/grafana.spec +++ b/SPECS/grafana.spec @@ -25,7 +25,7 @@ end} Name: grafana Version: 10.2.6 -Release: 7%{?dist} +Release: 9%{?dist} Summary: Metrics dashboard and graph editor License: AGPL-3.0-only URL: https://grafana.org @@ -36,13 +36,13 @@ Source0: https://github.com/grafana/grafana/archive/v%{version}/%{name} # Source1 contains the bundled Go and Node.js dependencies # Note: In case there were no changes to this tarball, the NVR of this tarball # lags behind the NVR of this package. -Source1: grafana-vendor-%{version}-2.tar.xz +Source1: grafana-vendor-%{version}-8.tar.xz %if %{compile_frontend} == 0 # Source2 contains the precompiled frontend # Note: In case there were no changes to this tarball, the NVR of this tarball # lags behind the NVR of this package. -Source2: grafana-webpack-%{version}-2.tar.gz +Source2: grafana-webpack-%{version}-8.tar.gz %endif # Source3 contains the systemd-sysusers configuration @@ -76,6 +76,7 @@ Patch7: 0007-redact-weak-ciphers.patch Patch8: 0008-replace-faulty-slices-sort.patch Patch9: 0009-update-wrappers-and-systemd-with-distro-paths.patch Patch10: 0010-remove-bcrypt-references.patch +Patch11: 0011-fix-dompurify-CVE.patch # Patches affecting the vendor tarball Patch1001: 1001-vendor-patch-removed-backend-crypto.patch @@ -534,7 +535,7 @@ Provides: bundled(npm(date-fns)) = 2.30.0 Provides: bundled(npm(debounce-promise)) = 3.1.2 Provides: bundled(npm(devtools-protocol)) = 0.0.927104 Provides: bundled(npm(diff)) = 4.0.2 -Provides: bundled(npm(dompurify)) = 2.4.5 +Provides: bundled(npm(dompurify)) = 2.5.7 Provides: bundled(npm(emotion)) = 10.0.27 Provides: bundled(npm(esbuild)) = 0.17.19 Provides: bundled(npm(esbuild-loader)) = 3.0.1 @@ -774,6 +775,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux %patch -P 8 -p1 %patch -P 9 -p1 %patch -P 10 -p1 +%patch -P 11 -p1 %patch -P 1001 -p1 %if %{enable_fips_mode} @@ -1022,6 +1024,13 @@ fi %{_datadir}/selinux/*/grafana.pp %changelog +* Tue Oct 29 2024 Troy Dawson - 10.2.6-9 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Mon Oct 28 2024 Sam Feifer - 10.2.6-8 +- Resolves RHEL-63100: CVE-2024-47875 + * Tue Oct 8 2024 Sam Feifer - 10.2.6-7 - Resolves: RHEL-57874