Bug 268078 - www/grafana9: Update to 9.2.7 (fixes security vulnerability)
Summary: www/grafana9: Update to 9.2.7 (fixes security vulnerability)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Fernando Apesteguía
URL: https://grafana.com/blog/2022/11/29/g...
Keywords: security
Depends on:
Blocks:
 
Reported: 2022-11-30 11:47 UTC by Boris Korzun
Modified: 2022-12-23 15:49 UTC (History)
3 users (show)

See Also:
fernape: merge-quarterly+

Attachments
grafana9.diff (9.67 KB, patch)
2022-11-30 11:47 UTC, Boris Korzun 		drtr0jan: maintainer-approval+
Details | Diff
vuxml.diff (377 bytes, patch)
2022-11-30 11:48 UTC, Boris Korzun 		no flags Details | Diff
vuxml.diff (643 bytes, patch)
2022-11-30 11:50 UTC, Boris Korzun 		drtr0jan: maintainer-approval? (ports-secteam)
 Details | Diff
pkg-plist.diff (6.22 KB, patch)
2022-12-06 09:37 UTC, Boris Korzun 		drtr0jan: maintainer-approval+
Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Boris Korzun 2022-11-30 11:47:46 UTC 
Created attachment 238444 [details]
grafana9.diff

Update to 9.2.7.

Changelog: https://github.com/grafana/grafana/releases/tag/v9.2.7

Fixes high severity security vulnerability: CVE-2022-31097
Comment 1 Boris Korzun 2022-11-30 11:48:47 UTC 
Created attachment 238445 [details]
vuxml.diff

vuxml: CVE-2022-31097 update
Comment 2 Boris Korzun 2022-11-30 11:50:33 UTC 
Created attachment 238446 [details]
vuxml.diff
Comment 3 Fernando Apesteguía freebsd_committer freebsd_triage 2022-11-30 17:43:53 UTC 
^Triage: Please set the maintainer-approval attachment flag (to +) on patches for ports you maintain to signify approval.
--
Attachment -> Details -> maintainer-approval [+]


Thanks!

Also, thanks for the vuxml entry.
Comment 4 Boris Korzun 2022-11-30 17:51:25 UTC 
Comment on attachment 238444 [details]
grafana9.diff

(In reply to Fernando Apesteguía from comment #3)
In bug #266872 Nuno Teixeira informed me: there was no need to set approval since it was implicit when submitter was a maintainer.
Comment 5 Fernando Apesteguía freebsd_committer freebsd_triage 2022-11-30 21:41:35 UTC 
(In reply to Boris Korzun from comment #4)
maintainer-feedback != maintainer-approval :-)

If you are the maintainer you don't set maintainer-feedback unless someone requests it first, but you should always set maintainer-approval in the *attachments*.
Comment 6 commit-hook freebsd_committer freebsd_triage 2022-12-01 11:32:05 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=88270fe5a24f6286e7c774be0fa8825ee47981a6

commit 88270fe5a24f6286e7c774be0fa8825ee47981a6
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2022-11-30 17:40:01 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2022-12-01 11:27:47 +0000

    www/grafana9: Update to 9.2.7 (CVE-2022-31097)

    ChangeLog:
    https://grafana.com/blog/2022/11/29/grafana-security-release-new-versions-with-high-severity-security-fix-for-cve-2022-31097/

    PR:             268078
    Reported by:    drtr0jan@yandex.ru (maintainer)
    MFH:            2022Q4 (security release)
    Security:       CVE-2022-31097

 www/grafana9/Makefile  |  4 ++--
 www/grafana9/distinfo  | 14 +++++++-------
 www/grafana9/pkg-plist | 52 +++++++++++++++++++++++++-------------------------
 3 files changed, 35 insertions(+), 35 deletions(-)
Comment 7 commit-hook freebsd_committer freebsd_triage 2022-12-01 11:33:06 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f5c4812fa522a84ac4a8ee11ae012024f7f09351

commit f5c4812fa522a84ac4a8ee11ae012024f7f09351
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2022-12-01 11:26:10 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2022-12-01 11:28:32 +0000

    security/vuxml: Record grafana9 vulnerability.

    Add privilege escalation for CVE-2022-31097.
    PR:     268078

 security/vuxml/vuln/2022.xml | 2 ++
 1 file changed, 2 insertions(+)
Comment 8 Fernando Apesteguía freebsd_committer freebsd_triage 2022-12-01 11:33:18 UTC 
Committed,

Thanks!
Comment 9 commit-hook freebsd_committer freebsd_triage 2022-12-01 11:37:08 UTC 
A commit in branch 2022Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=fb9fa86fb245e89ca5074b9bfa0c1c774b232d92

commit fb9fa86fb245e89ca5074b9bfa0c1c774b232d92
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2022-11-30 17:40:01 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2022-12-01 11:32:35 +0000

    www/grafana9: Update to 9.2.7 (CVE-2022-31097)

    ChangeLog:
    https://grafana.com/blog/2022/11/29/grafana-security-release-new-versions-with-high-severity-security-fix-for-cve-2022-31097/

    PR:             268078
    Reported by:    drtr0jan@yandex.ru (maintainer)
    MFH:            2022Q4 (security release)
    Security:       CVE-2022-31097

    (cherry picked from commit 88270fe5a24f6286e7c774be0fa8825ee47981a6)

 www/grafana9/Makefile  |  4 ++--
 www/grafana9/distinfo  | 14 +++++++-------
 www/grafana9/pkg-plist | 50 +++++++++++++++++++++++++++-----------------------
 3 files changed, 36 insertions(+), 32 deletions(-)
Comment 10 Boris Korzun 2022-12-06 09:37:47 UTC 
Created attachment 238568 [details]
pkg-plist.diff

(In reply to commit-hook from comment #9)
You've forgot to cherry-pick pkg-plist from previous commit to 2022Q4.
Building 9.2.7 in 2022Q4 is failed.
Can you commit a proposal patch?
Comment 11 Boris Korzun 2022-12-07 08:10:38 UTC 
Ping!

Please fix by committing the patch.

https://pkg-status.freebsd.org/beefy4/data/123i386-quarterly/c62aeba74957/logs/grafana9-9.2.7.log
Comment 12 commit-hook freebsd_committer freebsd_triage 2022-12-23 15:49:40 UTC 
A commit in branch 2022Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8e65e399fff101c33bd5389235dd61643e142b95

commit 8e65e399fff101c33bd5389235dd61643e142b95
Author:     Bryan Drewery <bdrewery@FreeBSD.org>
AuthorDate: 2022-12-23 15:48:16 +0000
Commit:     Bryan Drewery <bdrewery@FreeBSD.org>
CommitDate: 2022-12-23 15:48:16 +0000

    www/grafana9: Fix plist

    PR:             268078

 www/grafana9/pkg-plist | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)