Created attachment 260654 [details] grafana.patch Update to 12.0.1. Changelog: https://github.com/grafana/grafana/releases/tag/v12.0.1 Also updated ARCHS.
Created attachment 260655 [details] vuxml.patch vuxml: * CVE-2025-4123 - XSS vulnerability * CVE-2025-3580 - User deletion issue
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6e1ab017f3c8e2b355524f6a99f3f1a5366628b5 commit 6e1ab017f3c8e2b355524f6a99f3f1a5366628b5 Author: Boris Korzun <drtr0jan@yandex.ru> AuthorDate: 2025-05-23 16:11:47 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-05-23 16:18:38 +0000 www/grafana: Update 12.0.0 => 12.0.1 (Fixes security vulnerabilities) Release Notes: https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/ Changelog: https://github.com/grafana/grafana/releases/tag/v12.0.1 Update ONLY_FOR_ARCHS. Remove go version after default go version was increased to 1.24. PR: 287019 Security: CVE-2025-4123 Security: CVE-2025-3580 MFH: 2025Q2 www/grafana/Makefile | 9 ++-- www/grafana/distinfo | 122 +++++++++++++++++++++++++-------------------------- 2 files changed, 65 insertions(+), 66 deletions(-)
(In reply to Boris Korzun from comment #1) About merge-quarterly - breaking changes: https://grafana.com/docs/grafana/latest/whatsnew/whats-new-in-v12-0/#breaking-changes-in-grafana-v120 How significant are they? Maybe we need to add something to the pkg-message?
Or direct commit to 2025Q2 with update 11.6.1 => 11.6.2?
(In reply to Vladimir Druzenko from comment #3) Nope. Unfortunately, 12.0.1 and 11.6.2 are built by go1.24.3. But there's only go1.24.1 in the 2025Q2. We need to wait a MFH for lang/go124.