From fee1daa8a2e03d202b40f4392a2336bee23faeee Mon Sep 17 00:00:00 2001
From: MSVSphere Packaging Team <packager@msvsphere-os.ru>
Date: Wed, 6 Nov 2024 09:44:58 +0300
Subject: [PATCH] import grafana-10.2.6-9.el10

---
 .gitignore                           |  4 +-
 .grafana.metadata                    |  4 +-
 SOURCES/0011-fix-dompurify-CVE.patch | 55 ++++++++++++++++++++++++++++
 SOURCES/create_bundles.sh            |  1 +
 SPECS/grafana.spec                   | 17 +++++++--
 5 files changed, 73 insertions(+), 8 deletions(-)
 create mode 100644 SOURCES/0011-fix-dompurify-CVE.patch

diff --git a/.gitignore b/.gitignore
index a6dbaab..cf6336a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
 SOURCES/grafana-10.2.6.tar.gz
-SOURCES/grafana-vendor-10.2.6-2.tar.xz
-SOURCES/grafana-webpack-10.2.6-2.tar.gz
+SOURCES/grafana-vendor-10.2.6-8.tar.xz
+SOURCES/grafana-webpack-10.2.6-8.tar.gz
diff --git a/.grafana.metadata b/.grafana.metadata
index 518f49a..adbcede 100644
--- a/.grafana.metadata
+++ b/.grafana.metadata
@@ -1,3 +1,3 @@
 5c65a9460e0d0ecff29e397b5889b4167f046142 SOURCES/grafana-10.2.6.tar.gz
-1dbd3823c3004d7127fab43b82a0ca9e988922dc SOURCES/grafana-vendor-10.2.6-2.tar.xz
-7229d7721cd93d95fde2a306ae775876053a05b0 SOURCES/grafana-webpack-10.2.6-2.tar.gz
+70d5da67ed04fdcf458baf40e35aa35933879fe5 SOURCES/grafana-vendor-10.2.6-8.tar.xz
+928f19ae2f710ed11ec8dcbeab224dd40513fa36 SOURCES/grafana-webpack-10.2.6-8.tar.gz
diff --git a/SOURCES/0011-fix-dompurify-CVE.patch b/SOURCES/0011-fix-dompurify-CVE.patch
new file mode 100644
index 0000000..9be0fdf
--- /dev/null
+++ b/SOURCES/0011-fix-dompurify-CVE.patch
@@ -0,0 +1,55 @@
+diff --git a/package.json b/package.json
+index 38deb6d7dee..010a24fb451 100644
+--- a/package.json
++++ b/package.json
+@@ -432,7 +432,8 @@
+     "react-split-pane@0.1.92": "patch:react-split-pane@npm:0.1.92#.yarn/patches/react-split-pane-npm-0.1.92-93dbf51dff.patch",
+     "@storybook/blocks@7.4.5": "patch:@storybook/blocks@npm%3A7.4.5#./.yarn/patches/@storybook-blocks-npm-7.4.5-5a2374564a.patch",
+     "history@4.10.1": "patch:history@npm%3A4.10.1#./.yarn/patches/history-npm-4.10.1-ee217563ae.patch",
+-    "history@^4.9.0": "patch:history@npm%3A4.10.1#./.yarn/patches/history-npm-4.10.1-ee217563ae.patch"
++    "history@^4.9.0": "patch:history@npm%3A4.10.1#./.yarn/patches/history-npm-4.10.1-ee217563ae.patch",
++    "dompurify": "^2.5.0"
+   },
+   "workspaces": {
+     "packages": [
+diff --git a/packages/grafana-data/package.json b/packages/grafana-data/package.json
+index 2182744e61b..4201ef58dda 100644
+--- a/packages/grafana-data/package.json
++++ b/packages/grafana-data/package.json
+@@ -41,7 +41,7 @@
+     "@types/string-hash": "1.1.1",
+     "d3-interpolate": "3.0.1",
+     "date-fns": "2.30.0",
+-    "dompurify": "^2.4.3",
++    "dompurify": "^2.5.0",
+     "eventemitter3": "5.0.1",
+     "fast_array_intersect": "1.1.0",
+     "history": "4.10.1",
+diff --git a/yarn.lock b/yarn.lock
+index bf22ba52a17..88fc4d3fbfb 100644
+--- a/yarn.lock
++++ b/yarn.lock
+@@ -2953,7 +2953,7 @@ __metadata:
+     "@types/tinycolor2": "npm:1.4.3"
+     d3-interpolate: "npm:3.0.1"
+     date-fns: "npm:2.30.0"
+-    dompurify: "npm:^2.4.3"
++    dompurify: "npm:^2.5.0"
+     esbuild: "npm:0.18.12"
+     eventemitter3: "npm:5.0.1"
+     fast_array_intersect: "npm:1.1.0"
+@@ -14478,10 +14478,10 @@ __metadata:
+   languageName: node
+   linkType: hard
+ 
+-"dompurify@npm:^2.2.0, dompurify@npm:^2.4.3":
+-  version: 2.4.5
+-  resolution: "dompurify@npm:2.4.5"
+-  checksum: d764c2ff126b3749dad35bc34eed40f51141d7dfd620e938c92f08d68c32beeb259d06abadeee91f6e2a8c8737ce670e2124ac9a257ba3bcdc666598cebcde01
++"dompurify@npm:^2.5.0":
++  version: 2.5.7
++  resolution: "dompurify@npm:2.5.7"
++  checksum: b150ca1e28083252cd51097162dc96cb45203f7e2af1fbaa8ef32b4f4d6b605e4aa8915190d38bd0635cbbf14d13a200138cd3ec1b084096819b14c718355122
+   languageName: node
+   linkType: hard
+ 
diff --git a/SOURCES/create_bundles.sh b/SOURCES/create_bundles.sh
index feb9994..d3c97c1 100755
--- a/SOURCES/create_bundles.sh
+++ b/SOURCES/create_bundles.sh
@@ -59,6 +59,7 @@ awk '$2 ~ /^v/ && $4 != "indirect" {print "Provides: bundled(golang(" $1 ")) = "
 
 # Vendor Node.js dependencies
 patch -p1 --fuzz=0 < ../0005-remove-unused-frontend-crypto.patch
+patch -p1 --fuzz=0 < ../0011-fix-dompurify-CVE.patch
 export HUSKY=0
 yarn install --frozen-lockfile
 
diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec
index 42290d9..6bff02e 100644
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@@ -25,7 +25,7 @@ end}
 
 Name:             grafana
 Version:          10.2.6
-Release:          7%{?dist}
+Release:          9%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPL-3.0-only
 URL:              https://grafana.org
@@ -36,13 +36,13 @@ Source0:          https://github.com/grafana/grafana/archive/v%{version}/%{name}
 # Source1 contains the bundled Go and Node.js dependencies
 # Note: In case there were no changes to this tarball, the NVR of this tarball
 # lags behind the NVR of this package.
-Source1:          grafana-vendor-%{version}-2.tar.xz
+Source1:          grafana-vendor-%{version}-8.tar.xz
 
 %if %{compile_frontend} == 0
 # Source2 contains the precompiled frontend
 # Note: In case there were no changes to this tarball, the NVR of this tarball
 # lags behind the NVR of this package.
-Source2:          grafana-webpack-%{version}-2.tar.gz
+Source2:          grafana-webpack-%{version}-8.tar.gz
 %endif
 
 # Source3 contains the systemd-sysusers configuration
@@ -76,6 +76,7 @@ Patch7:           0007-redact-weak-ciphers.patch
 Patch8:           0008-replace-faulty-slices-sort.patch
 Patch9:           0009-update-wrappers-and-systemd-with-distro-paths.patch
 Patch10:          0010-remove-bcrypt-references.patch
+Patch11:          0011-fix-dompurify-CVE.patch
 
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@@ -534,7 +535,7 @@ Provides: bundled(npm(date-fns)) = 2.30.0
 Provides: bundled(npm(debounce-promise)) = 3.1.2
 Provides: bundled(npm(devtools-protocol)) = 0.0.927104
 Provides: bundled(npm(diff)) = 4.0.2
-Provides: bundled(npm(dompurify)) = 2.4.5
+Provides: bundled(npm(dompurify)) = 2.5.7
 Provides: bundled(npm(emotion)) = 10.0.27
 Provides: bundled(npm(esbuild)) = 0.17.19
 Provides: bundled(npm(esbuild-loader)) = 3.0.1
@@ -774,6 +775,7 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 8 -p1
 %patch -P 9 -p1
 %patch -P 10 -p1
+%patch -P 11 -p1
 
 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@@ -1022,6 +1024,13 @@ fi
 %{_datadir}/selinux/*/grafana.pp
 
 %changelog
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 10.2.6-9
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
+
+* Mon Oct 28 2024 Sam Feifer <sfeifer@redhat.com> - 10.2.6-8
+- Resolves RHEL-63100: CVE-2024-47875
+
 * Tue Oct 8 2024 Sam Feifer <sfeifer@redhat.com> - 10.2.6-7
 - Resolves: RHEL-57874