Bug 265330

Summary: www/grafana{8,9}: Update to 8.5.9 and 9.0.3 (Fixes security vulnerability)
Product: Ports & Packages Reporter: Boris Korzun <drtr0jan>
Component: Individual Port(s)Assignee: Nuno Teixeira <eduardo>
Status: Closed FIXED    
Severity: Affects Some People CC: eduardo, fluffy, ports-secteam
Priority: --- Keywords: security
Version: LatestFlags: drtr0jan: maintainer-feedback+
drtr0jan: merge-quarterly?
Hardware: Any   
OS: Any   
URL: https://grafana.com/blog/2022/07/14/grafana-v9-0-3-8-5-9-8-4-10-and-8-3-10-released-with-high-severity-security-fix/
Attachments:
Description Flags
grafana8.diff
drtr0jan: maintainer-approval+
grafana9.diff
drtr0jan: maintainer-approval+
vuxml.diff
fluffy: maintainer-approval+
grafana9.diff drtr0jan: maintainer-approval+

Description Boris Korzun 2022-07-20 08:15:40 UTC 
Created attachment 235377 [details]
grafana8.diff

Update to 8.5.9
Comment 1 Boris Korzun 2022-07-20 08:16:24 UTC 
Created attachment 235378 [details]
grafana9.diff

Update to 9.0.3
Comment 2 Boris Korzun 2022-07-20 08:18:25 UTC 
Created attachment 235380 [details]
vuxml.diff

vuxml:
CVE-2022-31097 - Stored XSS
CVE-2022-31107 - OAuth Account Takeover
Comment 3 Nuno Teixeira freebsd_committer freebsd_triage 2022-07-21 07:32:08 UTC 
(In reply to Boris Korzun from comment #2)

vuxml.diff doesn't apply
Comment 4 Boris Korzun 2022-07-21 11:39:02 UTC 
(In reply to Nuno Teixeira from comment #3)
Hmmm... I've tried again and got:

=====
root@boris:/usr/ports# patch < vuxml.diff 
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
|index 0a3fa85690aa..4e26009579b4 100644
|--- a/security/vuxml/vuln-2022.xml
|+++ b/security/vuxml/vuln-2022.xml
--------------------------
Patching file security/vuxml/vuln-2022.xml using Plan A...
Hunk #1 succeeded at 170 (offset 169 lines).
done
=====
Comment 5 Boris Korzun 2022-07-21 11:40:23 UTC 
Created attachment 235405 [details]
grafana9.diff

Update to 9.0.4

Changelog:
* https://github.com/grafana/grafana/releases/tag/v9.0.3
* https://github.com/grafana/grafana/releases/tag/v9.0.4
Comment 6 commit-hook freebsd_committer freebsd_triage 2022-07-23 22:01:48 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4bd697c3b70fe899b89048a3581a688832befb98

commit 4bd697c3b70fe899b89048a3581a688832befb98
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2022-07-23 21:57:43 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-07-23 21:57:43 +0000

    security/vuxml: Document new Grafana vulnerabilities

    CVE-2022-31097 - Stored XSS
    CVE-2022-31107 - OAuth Account Takeover

    PR:             265330

 security/vuxml/vuln-2022.xml | 82 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
Comment 7 commit-hook freebsd_committer freebsd_triage 2022-07-23 22:05:50 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=472a9324f10ad89b68c3981e6d5f25c27a6d5005

commit 472a9324f10ad89b68c3981e6d5f25c27a6d5005
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2022-07-23 22:02:30 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-07-23 22:02:30 +0000

    www/grafana{8,9}: Update to 8.5.9 and 9.0.3 (Fixes security vulnerability)

    ChangeLog:
     * https://github.com/grafana/grafana/releases/tag/v8.5.9
     * https://github.com/grafana/grafana/releases/tag/v9.0.3
     * https://github.com/grafana/grafana/releases/tag/v9.0.4

    PR:             265330

 www/grafana8/Makefile  |  7 ++--
 www/grafana8/distinfo  | 10 +++---
 www/grafana8/pkg-plist |  2 ++
 www/grafana9/Makefile  |  5 ++-
 www/grafana9/distinfo  | 14 ++++----
 www/grafana9/pkg-plist | 96 ++++++++++++++++++++++++--------------------------
 6 files changed, 66 insertions(+), 68 deletions(-)
Comment 8 Nuno Teixeira freebsd_committer freebsd_triage 2022-07-23 22:12:52 UTC 
Hi,

merge quarterly flag is set to '?'.

Should I commit to 2022Q3? If yes, then grafana{8,9} should be cherry-picked. What about vuxml?

Cheers
Comment 9 Boris Korzun 2022-07-24 06:07:08 UTC 
(In reply to Nuno Teixeira from comment #8)

Thx for commit to main.
Grafana{8,9} SHOULD BE cherry-picked to 2022Q3.
But vuxml SHOULD NOT BE cherry-picked.
Comment 10 Nuno Teixeira freebsd_committer freebsd_triage 2022-07-24 11:40:58 UTC 
Unable to cherry-pick to 2022Q3 due to conflicts with grafana{8,9} Makefiles.

grafana8 is at PORTREVISION=1
grafana9 is at PORTREVISION=0

Should I cherry-pick latest PORTREVISONs first and then this security update?
Comment 11 commit-hook freebsd_committer freebsd_triage 2022-07-28 22:45:52 UTC 
A commit in branch 2022Q3 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=19d284d80c07129b897e666ad035e5c339507264

commit 19d284d80c07129b897e666ad035e5c339507264
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2022-07-23 22:02:30 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-07-28 22:44:41 +0000

    www/grafana{8,9}: Update to 8.5.9 and 9.0.4 (Fixes security vulnerability)

    ChangeLog:
     * https://github.com/grafana/grafana/releases/tag/v8.5.9
     * https://github.com/grafana/grafana/releases/tag/v9.0.3
     * https://github.com/grafana/grafana/releases/tag/v9.0.4

    PR:             265330
    (cherry picked from commit 472a9324f10ad89b68c3981e6d5f25c27a6d5005)

 www/grafana8/Makefile  |  7 ++--
 www/grafana8/distinfo  | 10 +++---
 www/grafana8/pkg-plist |  2 ++
 www/grafana9/Makefile  |  4 +--
 www/grafana9/distinfo  | 14 ++++----
 www/grafana9/pkg-plist | 96 ++++++++++++++++++++++++--------------------------
 6 files changed, 66 insertions(+), 67 deletions(-)
Comment 12 Nuno Teixeira freebsd_committer freebsd_triage 2022-07-28 23:41:56 UTC 
Committed, thanks!