Created attachment 231763 [details] grafana8.diff Update to 8.3.5 Security: Fixes CVE-2022-21702, CVE-2022-21703 and CVE-2022-21713.
Created attachment 231764 [details] vuxml.diff
Thank you for the report and patch Boris. Are grafana 7 and 6 also affected?
(In reply to Kubilay Kocak from comment #2) Yep, Grafana 6 and 7 are also affected by the vulnerabilities.
(In reply to Boris Korzun from comment #3) Thank you. Since updates for those ports have not been created, we'll have this track and cover all. Could you please list, for each grafana port (except 8) - The vulnerable version(s) string to facilitate vuxml entries - The (minimum) fixed version - Links to major version specific announcements and changelogs If you can update to vuxml attachment to cover all major versions, that would be great.
^Triage: Request feedback and update patches for grafana7 and grafana6 respectively
(In reply to Kubilay Kocak from comment #4) The vuxml attachment contains strings for grafana 7 and grafana 6 yet. Grafana 7 fixed version (7.5.15) release notes - https://github.com/grafana/grafana/releases/tag/v7.5.15 Grafana 6 is't supported yet. I've created a bug #261560 for set it as deprecated.
Created attachment 231862 [details] grafana8.diff Update to 8.3.6 Release notes: https://github.com/grafana/grafana/releases/tag/v8.3.6
Ping.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=83a1ccc5f2868261bdd465fedd9d13e3ada2efdb commit 83a1ccc5f2868261bdd465fedd9d13e3ada2efdb Author: Boris Korzun <drtr0jan@yandex.ru> AuthorDate: 2022-02-26 13:10:11 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2022-02-26 13:12:05 +0000 www/grafana8: Update to upstream version 8.3.6 PR: 261892 MFH: 2022Q1 Security: CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 www/grafana8/Makefile | 6 +++--- www/grafana8/Makefile.modules | 4 ++-- www/grafana8/distinfo | 18 +++++++++--------- www/grafana8/pkg-plist | 18 +++++++++++------- 4 files changed, 25 insertions(+), 21 deletions(-)
A commit in branch 2022Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6cad1d287bd2d3bdb5d1a0f9688096ee2c08ad11 commit 6cad1d287bd2d3bdb5d1a0f9688096ee2c08ad11 Author: Boris Korzun <drtr0jan@yandex.ru> AuthorDate: 2022-02-26 13:10:11 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2022-02-26 14:02:39 +0000 www/grafana8: Update to upstream version 8.3.6 PR: 261892 MFH: 2022Q1 Security: CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 (cherry picked from commit 83a1ccc5f2868261bdd465fedd9d13e3ada2efdb) www/grafana8/Makefile | 6 +++--- www/grafana8/Makefile.modules | 4 ++-- www/grafana8/distinfo | 18 +++++++++--------- www/grafana8/pkg-plist | 18 +++++++++++------- 4 files changed, 25 insertions(+), 21 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=580776c6bd96e2b9de3e34a8c8c8b395b70aed69 commit 580776c6bd96e2b9de3e34a8c8c8b395b70aed69 Author: Thomas Zander <riggs@FreeBSD.org> AuthorDate: 2022-02-26 14:58:47 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2022-02-26 14:58:47 +0000 security/vuxml: Document grafana vulnerabilities PR: 261892 Reported by: Boris Korzun <drtr0jan@yandex.ru> Security: CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 security/vuxml/vuln-2022.xml | 108 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+)
Hey robsonmantovani@gmail.com , can you prepare a patch for grafana7?
Created attachment 232849 [details] Update to Grafana 7.5.15 This patch will update to the latest upstream grafana7 release
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=fd6096788e23395815509c76a7cdc2198ce6d5ce commit fd6096788e23395815509c76a7cdc2198ce6d5ce Author: Thomas Zander <riggs@FreeBSD.org> AuthorDate: 2022-04-04 05:39:38 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2022-04-04 05:43:43 +0000 www/grafana7: Update to upstream version 7.5.15 PR: 261892 Approved by: Maintainer timeout MFH: 2022Q2 Security: CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 www/grafana7/Makefile | 7 +++---- www/grafana7/distinfo | 10 +++++----- 2 files changed, 8 insertions(+), 9 deletions(-)
A commit in branch 2022Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1dc12b72d5af395acf86652ceb506472657a3803 commit 1dc12b72d5af395acf86652ceb506472657a3803 Author: Thomas Zander <riggs@FreeBSD.org> AuthorDate: 2022-04-04 05:39:38 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2022-04-04 05:44:23 +0000 www/grafana7: Update to upstream version 7.5.15 PR: 261892 Approved by: Maintainer timeout MFH: 2022Q2 Security: CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 (cherry picked from commit fd6096788e23395815509c76a7cdc2198ce6d5ce) www/grafana7/Makefile | 7 +++---- www/grafana7/distinfo | 10 +++++----- 2 files changed, 8 insertions(+), 9 deletions(-)
Summary: - grafana8 updates smooth. - Feedback timeout for grafana{6|7} maintainers. - grafana6 removed from main and 2022Q2. - grafana7 patch provided by Xander (thanks!) and committed to main and 2022Q2.