Created attachment 235377 [details] grafana8.diff Update to 8.5.9
Created attachment 235378 [details] grafana9.diff Update to 9.0.3
Created attachment 235380 [details] vuxml.diff vuxml: CVE-2022-31097 - Stored XSS CVE-2022-31107 - OAuth Account Takeover
(In reply to Boris Korzun from comment #2) vuxml.diff doesn't apply
(In reply to Nuno Teixeira from comment #3) Hmmm... I've tried again and got: ===== root@boris:/usr/ports# patch < vuxml.diff Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml |index 0a3fa85690aa..4e26009579b4 100644 |--- a/security/vuxml/vuln-2022.xml |+++ b/security/vuxml/vuln-2022.xml -------------------------- Patching file security/vuxml/vuln-2022.xml using Plan A... Hunk #1 succeeded at 170 (offset 169 lines). done =====
Created attachment 235405 [details] grafana9.diff Update to 9.0.4 Changelog: * https://github.com/grafana/grafana/releases/tag/v9.0.3 * https://github.com/grafana/grafana/releases/tag/v9.0.4
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=4bd697c3b70fe899b89048a3581a688832befb98 commit 4bd697c3b70fe899b89048a3581a688832befb98 Author: Boris Korzun <drtr0jan@yandex.ru> AuthorDate: 2022-07-23 21:57:43 +0000 Commit: Nuno Teixeira <eduardo@FreeBSD.org> CommitDate: 2022-07-23 21:57:43 +0000 security/vuxml: Document new Grafana vulnerabilities CVE-2022-31097 - Stored XSS CVE-2022-31107 - OAuth Account Takeover PR: 265330 security/vuxml/vuln-2022.xml | 82 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=472a9324f10ad89b68c3981e6d5f25c27a6d5005 commit 472a9324f10ad89b68c3981e6d5f25c27a6d5005 Author: Boris Korzun <drtr0jan@yandex.ru> AuthorDate: 2022-07-23 22:02:30 +0000 Commit: Nuno Teixeira <eduardo@FreeBSD.org> CommitDate: 2022-07-23 22:02:30 +0000 www/grafana{8,9}: Update to 8.5.9 and 9.0.3 (Fixes security vulnerability) ChangeLog: * https://github.com/grafana/grafana/releases/tag/v8.5.9 * https://github.com/grafana/grafana/releases/tag/v9.0.3 * https://github.com/grafana/grafana/releases/tag/v9.0.4 PR: 265330 www/grafana8/Makefile | 7 ++-- www/grafana8/distinfo | 10 +++--- www/grafana8/pkg-plist | 2 ++ www/grafana9/Makefile | 5 ++- www/grafana9/distinfo | 14 ++++---- www/grafana9/pkg-plist | 96 ++++++++++++++++++++++++-------------------------- 6 files changed, 66 insertions(+), 68 deletions(-)
Hi, merge quarterly flag is set to '?'. Should I commit to 2022Q3? If yes, then grafana{8,9} should be cherry-picked. What about vuxml? Cheers
(In reply to Nuno Teixeira from comment #8) Thx for commit to main. Grafana{8,9} SHOULD BE cherry-picked to 2022Q3. But vuxml SHOULD NOT BE cherry-picked.
Unable to cherry-pick to 2022Q3 due to conflicts with grafana{8,9} Makefiles. grafana8 is at PORTREVISION=1 grafana9 is at PORTREVISION=0 Should I cherry-pick latest PORTREVISONs first and then this security update?
A commit in branch 2022Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=19d284d80c07129b897e666ad035e5c339507264 commit 19d284d80c07129b897e666ad035e5c339507264 Author: Boris Korzun <drtr0jan@yandex.ru> AuthorDate: 2022-07-23 22:02:30 +0000 Commit: Nuno Teixeira <eduardo@FreeBSD.org> CommitDate: 2022-07-28 22:44:41 +0000 www/grafana{8,9}: Update to 8.5.9 and 9.0.4 (Fixes security vulnerability) ChangeLog: * https://github.com/grafana/grafana/releases/tag/v8.5.9 * https://github.com/grafana/grafana/releases/tag/v9.0.3 * https://github.com/grafana/grafana/releases/tag/v9.0.4 PR: 265330 (cherry picked from commit 472a9324f10ad89b68c3981e6d5f25c27a6d5005) www/grafana8/Makefile | 7 ++-- www/grafana8/distinfo | 10 +++--- www/grafana8/pkg-plist | 2 ++ www/grafana9/Makefile | 4 +-- www/grafana9/distinfo | 14 ++++---- www/grafana9/pkg-plist | 96 ++++++++++++++++++++++++-------------------------- 6 files changed, 66 insertions(+), 67 deletions(-)
Committed, thanks!