Bug 258962 - www/grafana8: Update to 8.1.6 (Fixes critical vulnerability)
Summary: www/grafana8: Update to 8.1.6 (Fixes critical vulnerability)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Yasuhiro Kimura
URL: https://grafana.com/blog/2021/10/05/g...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-06 13:04 UTC by Boris Korzun
Modified: 2021-10-27 09:11 UTC (History)
3 users (show)

See Also:
yasu: merge-quarterly+

Attachments
grafana8.diff (2.06 KB, patch)
2021-10-06 13:04 UTC, Boris Korzun 		drtr0jan: maintainer-approval+
Details | Diff
vuxml.diff (2.24 KB, patch)
2021-10-06 13:04 UTC, Boris Korzun 		drtr0jan: maintainer-approval?
Details | Diff
grafana8.diff (5.52 KB, patch)
2021-10-06 19:53 UTC, Boris Korzun 		drtr0jan: maintainer-approval+
Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Boris Korzun 2021-10-06 13:04:21 UTC 
Created attachment 228478 [details]
grafana8.diff

Changelog:
 * Security: Fixes CVE-2021-39226. For more information, see our blog ( https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/ )

Also attached vuln.xml
Comment 1 Boris Korzun 2021-10-06 13:04:58 UTC 
Created attachment 228479 [details]
vuxml.diff
Comment 2 Boris Korzun 2021-10-06 19:53:35 UTC 
Created attachment 228488 [details]
grafana8.diff

Update to 8.1.7.

Changelog:
 * Security: Fixes CVE-2021-39226. For more information, see our blog ( https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/ )
 * Alerting: Fix alerts with evaluation interval more than 30 seconds resolving before notification.
 * Elasticsearch/Prometheus: Fix usage of proper SigV4 service namespace.
Comment 3 Boris Korzun 2021-10-20 06:26:29 UTC 
Ping
Comment 4 Yasuhiro Kimura freebsd_committer freebsd_triage 2021-10-27 08:32:51 UTC 
Take.
Comment 5 commit-hook freebsd_committer freebsd_triage 2021-10-27 09:02:58 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=725c5eb1df6a47cad84a95b05ee2460868a93096

commit 725c5eb1df6a47cad84a95b05ee2460868a93096
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2021-10-27 08:30:01 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2021-10-27 09:01:29 +0000

    www/grafana8: Update to 8.1.6

    ReleaseNotes:   https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/
    PR:             258962
    Security:       CVE-2021-39226

 www/grafana8/Makefile         | 13 ++++++-------
 www/grafana8/Makefile.modules |  3 ++-
 www/grafana8/distinfo         | 16 +++++++++-------
 3 files changed, 17 insertions(+), 15 deletions(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2021-10-27 09:02:59 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e2ee21b6d9e95f4daacef5b04106bfda93897e0f

commit e2ee21b6d9e95f4daacef5b04106bfda93897e0f
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2021-10-26 10:29:22 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2021-10-27 09:01:21 +0000

    security/vuxml: Document snapshot authentication bypass vulnerability in Grafana

    PR:             258962
    Differential Revision:  https://reviews.freebsd.org/D32667

 security/vuxml/vuln-2021.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
Comment 7 commit-hook freebsd_committer freebsd_triage 2021-10-27 09:09:01 UTC 
A commit in branch 2021Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=6d7306b058583f4b39036c9c2c5c73f2297318bb

commit 6d7306b058583f4b39036c9c2c5c73f2297318bb
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2021-10-27 08:30:01 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2021-10-27 09:07:44 +0000

    www/grafana8: Update to 8.1.6

    ReleaseNotes:   https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/
    PR:             258962
    Security:       CVE-2021-39226
    (cherry picked from commit 725c5eb1df6a47cad84a95b05ee2460868a93096)

 www/grafana8/Makefile         | 13 ++++++-------
 www/grafana8/Makefile.modules |  3 ++-
 www/grafana8/distinfo         | 16 +++++++++-------
 3 files changed, 17 insertions(+), 15 deletions(-)
Comment 8 Yasuhiro Kimura freebsd_committer freebsd_triage 2021-10-27 09:11:28 UTC 
Comitted and merged to quarterly branch. Thanks!