5 changed files with 61 additions and 140 deletions
--- a/SOURCES/0008-graphite-functions-xss.patch
+++ b/SOURCES/0008-graphite-functions-xss.patch
@ -1,14 +1,15 @@
 From 05df8dcac715113517b81b1995ab1f0b69017f4a Mon Sep 17 00:00:00 2001
 From: ismail simsek <ismailsimsek09@gmail.com>
-Date:   Thu Mar 16 23:16:03 2023 +0100
+Date: Thu, 16 Mar 2023 23:16:03 +0100
 Subject: [PATCH] graphite functions xss
 commit e59427c074
    [v9.2.x] Fix xss in Graphite functions tooltip (#810)
-    
+
    Fix xss in Graphite functions tooltip (#804)
-    
+
    (cherry picked from commit 87aad3f11836f810ee1fdfee27827e746ef36055)
-    
+
    Co-authored-by: Ludovic Viaud <ludovic.viaud@gmail.com>
 diff --git a/public/app/plugins/datasource/graphite/components/FunctionEditorControls.tsx b/public/app/plugins/datasource/graphite/components/FunctionEditorControls.tsx
--- a/SOURCES/0009-redact-weak-ciphers.patch
+++ b/SOURCES/0009-redact-weak-ciphers.patch
@ -1,30 +0,0 @@
 From 3236aa416f6d1b109bff1fdd4127292988fb199c Mon Sep 17 00:00:00 2001
 From: Stan Cox <scox@redhat.com>
 Date: Wed, 22 Jun 2022 17:05:48 +0200
 Subject: [PATCH] redact weak ciphers
 diff --git a/pkg/api/http_server.go b/pkg/api/http_server.go
 index 2d6e1235b6..f0eff6d2ac 100644
 --- a/pkg/api/http_server.go	2023-01-24 14:44:19.000000000 -0500
 +++ b/pkg/api/http_server.go	2023-04-21 13:14:02.684857018 -0400
@@ -489,13 +489,13 @@
 			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 -			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 +//			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 -			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 -			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
 -			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
 -			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
 -			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 +//			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 +//			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
 +//			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
 +//			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
 +//			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 		},
 	}
--- a/SOURCES/0013-snapshot-delete-check-org.patch
+++ b/SOURCES/0013-snapshot-delete-check-org.patch
@ -1,21 +0,0 @@
 From 9c1236ba6e7d4c6506c62adeb830d9e56db7f425 Mon Sep 17 00:00:00 2001
 From: Sam Feifer <sfeifer@redhat.com>
 Date: Thu, 28 Mar 2024 13:24:35 -0400
 Subject: [PATCH] snapshot delete check org
 diff --git a/pkg/api/dashboard_snapshot.go b/pkg/api/dashboard_snapshot.go
 index 47ae50544a..0007e89ccb 100644
 --- a/pkg/api/dashboard_snapshot.go
 +++ b/pkg/api/dashboard_snapshot.go
@@ -328,6 +328,10 @@ func (hs *HTTPServer) DeleteDashboardSnapshot(c *models.ReqContext) response.Res
 		return response.Error(http.StatusNotFound, "Failed to get dashboard snapshot", nil)
 	}
 +	if query.Result.OrgId != c.OrgID {
 +		return response.Error(http.StatusUnauthorized, "OrgID mismatch", nil)
 +	}
 +
 	if query.Result.External {
 		err := deleteExternalDashboardSnapshot(query.Result.ExternalDeleteUrl)
 		if err != nil {
--- a/SOURCES/create_bundles_in_container.sh
+++ b/SOURCES/create_bundles_in_container.sh
@ -6,7 +6,7 @@
 #
 cat <<EOF | podman build -t grafana-build -f - .
-FROM fedora:36
+FROM fedora:35
 RUN dnf upgrade -y && \
    dnf install -y rpmdevtools python3-packaging python3-pyyaml make golang nodejs yarnpkg
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@ -1,3 +1,13 @@
 # gobuild and gotest macros are not available on CentOS Stream
 # remove once BZ 1965292 is resolved
 # definitions lifted from Fedora 34 podman.spec
 %if ! 0%{?gobuild:1}
 %define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**};
 %endif
 %if ! 0%{?gotest:1}
 %define gotest() GO111MODULE=off go test -buildmode pie -compiler gc -ldflags "${LDFLAGS:-} -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" %{?**};
 %endif
 # Specify if the frontend will be compiled as part of the build or
 # is attached as a webpack tarball (in case of an unsuitable nodejs version on the build system)
 %define compile_frontend 0
@ -25,9 +35,9 @@ end}
 Name:             grafana
 Version:          9.2.10
-Release:          16%{?dist}
+Release:          15%{?dist}
 Summary:          Metrics dashboard and graph editor
-License:          AGPL-3.0-only
+License:          AGPLv3
 URL:              https://grafana.org
 # Source0 contains the tagged upstream sources
@ -74,11 +84,9 @@ Patch5:           0005-remove-unused-frontend-crypto.patch
 Patch6:           0006-skip-marketplace-plugin-install-test.patch
 Patch7:           0007-fix-alert-test.patch
 Patch8:           0008-graphite-functions-xss.patch
 Patch9:           0009-redact-weak-ciphers.patch
 Patch10:          0010-skip-tests.patch
 Patch11:          0011-remove-email-lookup.patch
 Patch12:          0012-coredump-selinux-error.patch
 Patch13:          0013-snapshot-delete-check-org.patch
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@ -733,7 +741,7 @@ BuildRequires: checkpolicy, selinux-policy-devel, selinux-policy-targeted
 Requires:       selinux-policy >= %{_selinux_policy_version}
 %endif
 Requires:       %{name} = %{version}-%{release}
-Requires:	selinux-policy-targeted
+Requires:       selinux-policy-targeted
 Requires(post):   /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, grafana
 Requires(postun): /usr/sbin/semodule, /usr/sbin/semanage, /sbin/restorecon, /sbin/fixfiles, /sbin/service, grafana
@ -762,11 +770,9 @@ cp -p %{SOURCE8} %{SOURCE9} %{SOURCE10} SELinux
 %patch -P 6 -p1
 %patch -P 7 -p1
 %patch -P 8 -p1
 %patch -P 9 -p1
 %patch -P 10 -p1
 %patch -P 11 -p1
 %patch -P 12 -p1
 %patch -P 13 -p1
 %patch -P 1001 -p1
 %if %{enable_fips_mode}
@ -875,7 +881,10 @@ done
 cd -
 %pre
-%sysusers_create_compat %{SOURCE3}
+# sysusers_create_compat macro is not present in rhel8
 # SOURCE3 may not be available in %%prein stage so specify on command line via --replace
 # instead of "systemd-sysusers %%{SOURCE3}"
 echo 'u     grafana -  "Grafana user account" /usr/share/grafana' | systemd-sysusers --replace=/usr/lib/sysusers.d/grafana.conf -
 %preun
 %systemd_preun grafana-server.service
@ -1010,70 +1019,54 @@ fi
 %{_datadir}/selinux/*/grafana.pp
 %changelog
-* Tue Apr 16 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-16
+* Fri Mar 29 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 9.2.10-15
- Check OrdID is correct before deleting snapshot
+- Rebuilt for MSVSphere 8.10 beta
 - fix CVE-2024-1313
 - fix CVE-2024-1394
 * Wed Jan 31 2024 Sam Feifer <sfeifer@redhat.com> 9.2.10-15
- Resolves RHEL-23468
+- Resolves RHEL-23466
 - Resolves RHEL-21027
 - Allows for gid to be 0
 - Allows for postgreSQL datasource in selinux policy
-* Tue Dec 19 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-14
+* Mon Dec 18 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-14
- Fixes postgresql AVC denial
+- Resolves RHEL-19596
 - Related RHEL-7505
 * Thu Dec 14 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-13
 - Resolves RHEL-19296
 - Fixes coredump issue introduced by selinux
 - Patches out call to panic when trying to walk "/" directory
 - Fixes postgresql AVC denial
-* Thu Nov 30 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-12
+* Fri Dec 1 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-12
- Resolves RHEL-7505
+- Resolves RHEL-7503
 - Fixes additional selinux denials found when testing on certain architectures
 * Tue Nov 21 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-11
 - Resolves RHEL-7505
 - Fixes selinux denials found when testing on certain architectures
 * Wed Nov 15 2023 Sam Feifer <sfeifer@redhat.com> 9.2.10-10
 - Resolves RHEL-7505
 - Adds a selinux policy for grafana
- Resolves RHEL-12666
+- Resolves RHEL-12650
 - fix CVE-2023-39325 CVE-2023-44487 rapid stream resets can cause excessive work
 * Fri Jul 21 2023 Stan Cox <scox@redhat.com> 9.2.10-6
 - Add /usr/share/grafana to systemd-sysusers --replace
 * Thu Jul 20 2023 Stan Cox <scox@redhat.com> 9.2.10-5
 - resolve CVE-2023-3128 grafana: account takeover possible when using Azure AD OAuth
-* Thu Jun 8 2023 Stan Cox <scox@redhat.com> 9.2.10-3
+* Thu Jun 8 2023 Stan Cox <scox@redhat.com> 9.2.10-4
- bumps exporter-toolkit to v0.7.3, sanitize-url@npm to 6.0.2, skip problematic s390 tests, License AGPL-3.0-only.
+- bumps exporter-toolkit to v0.7.3, sanitize-url@npm to 6.0.2, skip problematic s390 tests.
-* Mon May 15 2023 Stan Cox <scox@redhat.com> 9.2.10-2
+* Thu May 25 2023 Stan Cox <scox@redhat.com> 9.2.10-3
- Update to 9.2.10
+- Use systemd-sysusers --replace
 * Tue May 23 2023 Jan Kurik <jkurik@redhat.com> 9.2.10-2
 - Use systemd-sysusers instead of sysusers_create_compat, which is not available in RHEL-8
 * Thu May 04 2023 Stan Cox <scox@redhat.com> 9.2.10-1
 - Update to 9.2.10
-* Tue Nov 01 2022 Stan Cox <scox@redhat.com> 9.0.9-2
+* Mon Oct 31 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.15-4
- resolve CVE-2022-39229 grafana: Using email as a username can prevent other users from signing in
+- resolve CVE-2022-39229 grafana: using email as a username can block other users from signing in
- resolve CVE-2022-2880 CVE-2022-41715 grafana: various flaws
+- resolve CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
-
+- resolve CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
-* Wed Sep 21 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 9.0.9-1
+- resolve CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
- update to 9.0.9 tagged upstream community sources, see CHANGELOG
+- run integration tests in check phase
- resolve CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used (rhbz#2125530)
+- update FIPS patch with latest changes in Go packaging
-* Tue Sep 20 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 9.0.8-2
+* Wed Aug 10 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.15-3
 - bump NVR
 * Thu Sep 15 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 9.0.8-1
 - update to 9.0.8 tagged upstream community sources, see CHANGELOG
 - do not list /usr/share/grafana/conf twice
 - drop makefile in favor of create_bundles.sh script
 - sync provides/obsoletes with CentOS versions
 - drop husky patch
 * Thu Aug 11 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.15-3
 - resolve CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
 - resolve CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
 - resolve CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
@ -1084,7 +1077,7 @@ fi
 - resolve CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
 - resolve CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
-* Tue Jul 26 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.15-2
+* Wed Jul 20 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.15-2
 - resolve CVE-2022-31107 grafana: OAuth account takeover
 * Fri Apr 22 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.15-1
@ -1098,10 +1091,6 @@ fi
 - declare Node.js dependencies of subpackages
 - make vendor and webpack tarballs reproducible
 * Tue Jan 18 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-3
 - use HMAC-SHA-256 instead of SHA-1 to generate password reset tokens
 - update FIPS tests in check phase
 * Thu Dec 16 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-2
 - resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
 - resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files
@ -1113,9 +1102,8 @@ fi
 * Thu Sep 30 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.10-1
 - update to 7.5.10 tagged upstream community sources, see CHANGELOG
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.9-3
+* Mon Aug 16 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.9-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- rebuild to resolve CVE-2021-34558
  Related: rhbz#1991688
 * Thu Jul 08 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.9-2
 - remove unused dependency property-information
@ -1124,10 +1112,6 @@ fi
 * Fri Jun 25 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.9-1
 - update to 7.5.9 tagged upstream community sources, see CHANGELOG
 * Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.8-2
 - Rebuilt for RHEL 9 BETA for openssl 3.0
  Related: rhbz#1971065
 * Mon Jun 21 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.8-1
 - update to 7.5.8 tagged upstream community sources, see CHANGELOG
 - remove unused dependencies selfsigned, http-signature and gofpdf
@ -1139,12 +1123,6 @@ fi
 * Tue May 25 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.7-1
 - update to 7.5.7 tagged upstream community sources, see CHANGELOG
 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 7.3.6-4
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.3.6-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Fri Jan 22 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.3.6-2
 - change working dir to $GRAFANA_HOME in grafana-cli wrapper (fixes Red Hat BZ #1916083)
 - add pcp-redis-datasource to allow_loading_unsigned_plugins config option
@ -1155,24 +1133,17 @@ fi
 * Wed Nov 25 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 7.3.4-1
 - update to 7.3.4 tagged upstream community sources, see CHANGELOG
-
+- bundle golang dependencies
 * Tue Nov 10 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 7.3.1-1
 - update to 7.3.1 tagged upstream community sources, see CHANGELOG
 - optionally bundle node.js dependencies and build and test frontend as part of the specfile
- change default provisioning path to /etc/grafana/provisioning (changed in version 7.1.1-1)
+- merge all datasources into main grafana package
 - change default provisioning path to /etc/grafana/provisioning
 - resolve https://bugzilla.redhat.com/show_bug.cgi?id=1843170
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.1.1-2
+* Thu Aug 20 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.7.4-3
- Second attempt - Rebuilt for
+- apply patch for CVE-2020-13430 also to sources, not only to compiled webpack
  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Thu Jul 30 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 7.1.1-1
 - update to 7.1.1 tagged upstream community sources, see CHANGELOG
 - merge all datasources into main grafana package
 - bundle golang dependencies
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.7.4-2
+* Wed Aug 19 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.7.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+- security fix for CVE-2020-13430
 * Fri Jun 05 2020 Andreas Gerstmayr <agerstmayr@redhat.com> 6.7.4-1
 - update to 6.7.4 tagged upstream community sources, see CHANGELOG