Created attachment 259834 [details]
vuxml.patch

vuxml:
* CVE-2025-2703 - DOM XSS vulnerability (Medium)
* CVE-2025-3260 - Bypass Viewer and Editor permission (High)
* CVE-2025-3454 - Authorization bypass in data source proxy API (Medium)

https://grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454/

Comment 2 commit-hook 2025-04-24 16:55:31 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=090b96f085d03e6a7b88ad257e6daf1e5afc6019

commit 090b96f085d03e6a7b88ad257e6daf1e5afc6019
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2025-04-24 16:35:57 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2025-04-24 16:51:33 +0000

    www/grafana: Update 11.6.0 => 11.6.1

    Changelog:
    https://github.com/grafana/grafana/releases/tag/v11.6.1

    CVEs fixed:
    * CVE-2025-2703 - DOM XSS vulnerability (Medium)
    * CVE-2025-3260 - Bypass Viewer and Editor permission (High)
    * CVE-2025-3454 - Authorization bypass in data source proxy API (Medium)
    https://grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454/

    PR:             286323
    Security:       CVE-2025-2703
    Security:       CVE-2025-3260
    Security:       CVE-2025-3454
    MFH:            2025Q2

 www/grafana/Makefile |  7 ++---
 www/grafana/distinfo | 82 ++++++++++++++++++++++++++--------------------------
 2 files changed, 44 insertions(+), 45 deletions(-)

Comment 3 commit-hook 2025-04-24 17:01:33 UTC

A commit in branch 2025Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0bd67fe7a36b3a9903fbd1c9f6e5094071ba660b

commit 0bd67fe7a36b3a9903fbd1c9f6e5094071ba660b
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2025-04-24 16:35:57 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2025-04-24 17:00:57 +0000

    www/grafana: Update 11.6.0 => 11.6.1

    Changelog:
    https://github.com/grafana/grafana/releases/tag/v11.6.1

    CVEs fixed:
    * CVE-2025-2703 - DOM XSS vulnerability (Medium)
    * CVE-2025-3260 - Bypass Viewer and Editor permission (High)
    * CVE-2025-3454 - Authorization bypass in data source proxy API (Medium)
    https://grafana.com/blog/2025/04/22/grafana-security-release-medium-and-high-severity-fixes-for-cve-2025-3260-cve-2025-2703-cve-2025-3454/

    PR:             286323
    Security:       CVE-2025-2703
    Security:       CVE-2025-3260
    Security:       CVE-2025-3454
    MFH:            2025Q2
    (cherry picked from commit 090b96f085d03e6a7b88ad257e6daf1e5afc6019)

 www/grafana/Makefile |  6 ++--
 www/grafana/distinfo | 82 ++++++++++++++++++++++++++--------------------------
 2 files changed, 44 insertions(+), 44 deletions(-)

Comment 4 Vladimir Druzenko 2025-04-24 17:05:27 UTC

Thanks, committed.

Need to commit vuxml.

Comment 5 Fernando Apesteguía 2025-04-25 06:24:58 UTC

Comment on attachment 259834 [details]
vuxml.patch

Taking the vuxml part. Much appreciated.

Comment 6 Fernando Apesteguía 2025-04-25 06:27:03 UTC

Committed,

Thanks!

Comment 7 commit-hook 2025-04-25 06:27:38 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=41bcfffbcbad15a0460cb6fd8902aef6daa12376

commit 41bcfffbcbad15a0460cb6fd8902aef6daa12376
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2025-04-25 06:25:12 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2025-04-25 06:25:12 +0000

    security/vuxml: Add grafana vulnerabilities

     * CVE-2025-2703 - DOM XSS vulnerability (Medium)
     * CVE-2025-3260 - Bypass Viewer and Editor permission (High)
     * CVE-2025-3454 - Authorization bypass in data source proxy API (Medium)

    PR:             286323
    Reported by:    Boris Korzun <drtr0jan@yandex.ru

 security/vuxml/vuln/2025.xml | 121 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 121 insertions(+)