Bug 261892
| Summary: | www/grafana[678]: Update to latest versions (8.3.5, 7.?.?, 6.?.?) fixing security vulnerabilities | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Boris Korzun <drtr0jan> | ||||||||||
| Component: | Individual Port(s) | Assignee: | Thomas Zander <riggs> | ||||||||||
| Status: | Closed FIXED | ||||||||||||
| Severity: | Affects Many People | CC: | drtr0jan, hiyorin, ports-secteam, riggs, robsonmantovani, xj.dropbox+freebsd | ||||||||||
| Priority: | Normal | Keywords: | needs-patch, needs-qa, security | ||||||||||
| Version: | Latest | Flags: | drtr0jan:
maintainer-feedback+
riggs: maintainer-feedback- riggs: maintainer-feedback- riggs: merge-quarterly+ |
||||||||||
| Hardware: | Any | ||||||||||||
| OS: | Any | ||||||||||||
| URL: | https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/ | ||||||||||||
| Attachments: |
|
||||||||||||
Created attachment 231764 [details]
vuxml.diff
Thank you for the report and patch Boris. Are grafana 7 and 6 also affected? (In reply to Kubilay Kocak from comment #2) Yep, Grafana 6 and 7 are also affected by the vulnerabilities. (In reply to Boris Korzun from comment #3) Thank you. Since updates for those ports have not been created, we'll have this track and cover all. Could you please list, for each grafana port (except 8) - The vulnerable version(s) string to facilitate vuxml entries - The (minimum) fixed version - Links to major version specific announcements and changelogs If you can update to vuxml attachment to cover all major versions, that would be great. ^Triage: Request feedback and update patches for grafana7 and grafana6 respectively (In reply to Kubilay Kocak from comment #4) The vuxml attachment contains strings for grafana 7 and grafana 6 yet. Grafana 7 fixed version (7.5.15) release notes - https://github.com/grafana/grafana/releases/tag/v7.5.15 Grafana 6 is't supported yet. I've created a bug #261560 for set it as deprecated. Created attachment 231862 [details] grafana8.diff Update to 8.3.6 Release notes: https://github.com/grafana/grafana/releases/tag/v8.3.6 Ping. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=83a1ccc5f2868261bdd465fedd9d13e3ada2efdb commit 83a1ccc5f2868261bdd465fedd9d13e3ada2efdb Author: Boris Korzun <drtr0jan@yandex.ru> AuthorDate: 2022-02-26 13:10:11 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2022-02-26 13:12:05 +0000 www/grafana8: Update to upstream version 8.3.6 PR: 261892 MFH: 2022Q1 Security: CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 www/grafana8/Makefile | 6 +++--- www/grafana8/Makefile.modules | 4 ++-- www/grafana8/distinfo | 18 +++++++++--------- www/grafana8/pkg-plist | 18 +++++++++++------- 4 files changed, 25 insertions(+), 21 deletions(-) A commit in branch 2022Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6cad1d287bd2d3bdb5d1a0f9688096ee2c08ad11 commit 6cad1d287bd2d3bdb5d1a0f9688096ee2c08ad11 Author: Boris Korzun <drtr0jan@yandex.ru> AuthorDate: 2022-02-26 13:10:11 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2022-02-26 14:02:39 +0000 www/grafana8: Update to upstream version 8.3.6 PR: 261892 MFH: 2022Q1 Security: CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 (cherry picked from commit 83a1ccc5f2868261bdd465fedd9d13e3ada2efdb) www/grafana8/Makefile | 6 +++--- www/grafana8/Makefile.modules | 4 ++-- www/grafana8/distinfo | 18 +++++++++--------- www/grafana8/pkg-plist | 18 +++++++++++------- 4 files changed, 25 insertions(+), 21 deletions(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=580776c6bd96e2b9de3e34a8c8c8b395b70aed69 commit 580776c6bd96e2b9de3e34a8c8c8b395b70aed69 Author: Thomas Zander <riggs@FreeBSD.org> AuthorDate: 2022-02-26 14:58:47 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2022-02-26 14:58:47 +0000 security/vuxml: Document grafana vulnerabilities PR: 261892 Reported by: Boris Korzun <drtr0jan@yandex.ru> Security: CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 security/vuxml/vuln-2022.xml | 108 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) Hey robsonmantovani@gmail.com , can you prepare a patch for grafana7? Created attachment 232849 [details]
Update to Grafana 7.5.15
This patch will update to the latest upstream grafana7 release
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=fd6096788e23395815509c76a7cdc2198ce6d5ce commit fd6096788e23395815509c76a7cdc2198ce6d5ce Author: Thomas Zander <riggs@FreeBSD.org> AuthorDate: 2022-04-04 05:39:38 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2022-04-04 05:43:43 +0000 www/grafana7: Update to upstream version 7.5.15 PR: 261892 Approved by: Maintainer timeout MFH: 2022Q2 Security: CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 www/grafana7/Makefile | 7 +++---- www/grafana7/distinfo | 10 +++++----- 2 files changed, 8 insertions(+), 9 deletions(-) A commit in branch 2022Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=1dc12b72d5af395acf86652ceb506472657a3803 commit 1dc12b72d5af395acf86652ceb506472657a3803 Author: Thomas Zander <riggs@FreeBSD.org> AuthorDate: 2022-04-04 05:39:38 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2022-04-04 05:44:23 +0000 www/grafana7: Update to upstream version 7.5.15 PR: 261892 Approved by: Maintainer timeout MFH: 2022Q2 Security: CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 (cherry picked from commit fd6096788e23395815509c76a7cdc2198ce6d5ce) www/grafana7/Makefile | 7 +++---- www/grafana7/distinfo | 10 +++++----- 2 files changed, 8 insertions(+), 9 deletions(-) Summary:
- grafana8 updates smooth.
- Feedback timeout for grafana{6|7} maintainers.
- grafana6 removed from main and 2022Q2.
- grafana7 patch provided by Xander (thanks!) and committed to main and 2022Q2.
|
Created attachment 231763 [details] grafana8.diff Update to 8.3.5 Security: Fixes CVE-2022-21702, CVE-2022-21703 and CVE-2022-21713.