Bug 267728 - www/grafana{8,9}: Update to 8.5.15 and 9.2.4 (fixes security vulnerabilities)
Summary: www/grafana{8,9}: Update to 8.5.15 and 9.2.4 (fixes security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Nuno Teixeira
URL: https://grafana.com/blog/2022/11/08/s...
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2022-11-12 15:26 UTC by Boris Korzun
Modified: 2022-11-13 00:59 UTC (History)
2 users (show)

See Also:
eduardo: merge-quarterly+

Attachments
grafana8.diff (2.28 KB, patch)
2022-11-12 15:26 UTC, Boris Korzun 		no flags Details | Diff
grafana9.diff (36.59 KB, patch)
2022-11-12 15:28 UTC, Boris Korzun 		no flags Details | Diff
vuxml.diff (11.77 KB, patch)
2022-11-12 15:34 UTC, Boris Korzun 		eduardo: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Boris Korzun 2022-11-12 15:26:09 UTC 
Created attachment 238031 [details]
grafana8.diff

Update to 8.5.15.
Comment 2 Boris Korzun 2022-11-12 15:34:44 UTC 
Created attachment 238033 [details]
vuxml.diff

vuxml:
* CVE-2022-31123 - Plugin signature bypass
* CVE-2022-31130 - Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
* CVE-2022-39201 - Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
* CVE-2022-39229 - Improper authentication
* CVE-2022-39306 - Privilege escalation
* CVE-2022-39307 - Username enumeration
* CVE-2022-39328 - Privilege escalation (Critical)

https://grafana.com/blog/2022/10/12/grafana-security-releases-new-versions-with-fixes-for-cve-2022-39229-cve-2022-39201-cve-2022-31130-cve-2022-31123/

https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/
Comment 3 commit-hook freebsd_committer freebsd_triage 2022-11-13 00:19:49 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c01da721e69d9ae724afef61bdb196543c86a461

commit c01da721e69d9ae724afef61bdb196543c86a461
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2022-11-13 00:12:21 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-11-13 00:18:39 +0000

    www/grafana{8,9}: Update to 8.5.15 and 9.2.4 (fixes security vulnerabilities)

    * CVE-2022-31123 - Plugin signature bypass
    * CVE-2022-31130 - Data source and plugin proxy endpoints leaking
      authentication tokens to some destination plugins
    * CVE-2022-39201 - Data source and plugin proxy endpoints leaking
      authentication tokens to some destination plugins
    * CVE-2022-39229 - Improper authentication
    * CVE-2022-39306 - Privilege escalation
    * CVE-2022-39307 - Username enumeration
    * CVE-2022-39328 - Privilege escalation (Critical)

    https://grafana.com/blog/2022/10/12/grafana-security-releases-new-versions-with-fixes-for-cve-2022-39229-cve-2022-39201-cve-2022-31130-cve-2022-31123/

    https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/

    ChangeLog:      https://github.com/grafana/grafana/releases/tag/v8.5.15
                    https://github.com/grafana/grafana/releases/tag/v9.2.2
                    https://github.com/grafana/grafana/releases/tag/v9.2.3
                    https://github.com/grafana/grafana/releases/tag/v9.2.4
    PR:             267728
    MFH:            2022Q4
    Security:       0a80f159-629b-11ed-9ca2-6c3be5272acd
                    6eb6a442-629a-11ed-9ca2-6c3be5272acd
                    db895ed0-6298-11ed-9ca2-6c3be5272acd
                    4e60d660-6298-11ed-9ca2-6c3be5272acd
                    6f6c9420-6297-11ed-9ca2-6c3be5272acd
                    6877e164-6296-11ed-9ca2-6c3be5272acd
                    909a80ba-6294-11ed-9ca2-6c3be5272acd

 www/grafana8/Makefile  |   7 +-
 www/grafana8/distinfo  |  10 +-
 www/grafana9/Makefile  |   4 +-
 www/grafana9/distinfo  |  14 +--
 www/grafana9/pkg-plist | 297 +++++++++++++++++++++++++------------------------
 5 files changed, 169 insertions(+), 163 deletions(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-11-13 00:19:50 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=69889d2f8d57226190eebde1f7391bcd1478b760

commit 69889d2f8d57226190eebde1f7391bcd1478b760
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2022-11-12 21:26:41 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-11-13 00:18:39 +0000

    security/vuxml: Document Grafana multiple vulnerabilities

    * CVE-2022-31123 - Plugin signature bypass
    * CVE-2022-31130 - Data source and plugin proxy endpoints leaking
      authentication tokens to some destination plugins
    * CVE-2022-39201 - Data source and plugin proxy endpoints leaking
      authentication tokens to some destination plugins
    * CVE-2022-39229 - Improper authentication
    * CVE-2022-39306 - Privilege escalation
    * CVE-2022-39307 - Username enumeration
    * CVE-2022-39328 - Privilege escalation (Critical)

    https://grafana.com/blog/2022/10/12/grafana-security-releases-new-versions-with-fixes-for-cve-2022-39229-cve-2022-39201-cve-2022-31130-cve-2022-31123/
    https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/

    PR:             267728

 security/vuxml/vuln-2022.xml | 297 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 297 insertions(+)
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-11-13 00:49:59 UTC 
A commit in branch 2022Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=28823d911577732c270db216b8de88e3326727c7

commit 28823d911577732c270db216b8de88e3326727c7
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2022-11-13 00:12:21 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-11-13 00:48:50 +0000

    www/grafana{8,9}: Update to 8.5.15 and 9.2.4 (fixes security vulnerabilities)

    * CVE-2022-31123 - Plugin signature bypass
    * CVE-2022-31130 - Data source and plugin proxy endpoints leaking
      authentication tokens to some destination plugins
    * CVE-2022-39201 - Data source and plugin proxy endpoints leaking
      authentication tokens to some destination plugins
    * CVE-2022-39229 - Improper authentication
    * CVE-2022-39306 - Privilege escalation
    * CVE-2022-39307 - Username enumeration
    * CVE-2022-39328 - Privilege escalation (Critical)

    https://grafana.com/blog/2022/10/12/grafana-security-releases-new-versions-with-fixes-for-cve-2022-39229-cve-2022-39201-cve-2022-31130-cve-2022-31123/

    https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/

    ChangeLog:      https://github.com/grafana/grafana/releases/tag/v8.5.15
                    https://github.com/grafana/grafana/releases/tag/v9.2.2
                    https://github.com/grafana/grafana/releases/tag/v9.2.3
                    https://github.com/grafana/grafana/releases/tag/v9.2.4
    PR:             267728
    MFH:            2022Q4
    Security:       0a80f159-629b-11ed-9ca2-6c3be5272acd
                    6eb6a442-629a-11ed-9ca2-6c3be5272acd
                    db895ed0-6298-11ed-9ca2-6c3be5272acd
                    4e60d660-6298-11ed-9ca2-6c3be5272acd
                    6f6c9420-6297-11ed-9ca2-6c3be5272acd
                    6877e164-6296-11ed-9ca2-6c3be5272acd
                    909a80ba-6294-11ed-9ca2-6c3be5272acd
    (cherry picked from commit c01da721e69d9ae724afef61bdb196543c86a461)

 www/grafana8/Makefile  |   7 +-
 www/grafana8/distinfo  |  10 +-
 www/grafana9/Makefile  |   4 +-
 www/grafana9/distinfo  |  14 +--
 www/grafana9/pkg-plist | 297 +++++++++++++++++++++++++------------------------
 5 files changed, 169 insertions(+), 163 deletions(-)
Comment 6 Nuno Teixeira freebsd_committer freebsd_triage 2022-11-13 00:59:01 UTC 
Committed, thanks!