Created attachment 234037 [details] Update to Grafana 7.5.16 Update to 7.5.16 with moderate severity security fix See https://grafana.com/blog/2022/05/19/grafana-enterprise-8.5.3-and-7.5.16-released-with-moderate-severity-security-fix/ security/vuxml will most likely be taken care of by more experienced users for www/grafana8 . This is just the patch to update the grafana7 port.
^Triage: Pending patch for www/grafana8 and vuxml entry
(In reply to Kubilay Kocak from comment #1) Grafana OSS are not impacted by this vulnerability. The bug is only for Grafana Enterprise (there isn't in the ports tree).
Grafana OSS indeed isn't impacted according to the blog. Grafana did however release new OSS versions 7.5.16 and 8.5.3 marked with "Security: Fixes CVE-2022-29170". See https://github.com/grafana/grafana/releases . That was my trigger to err on the safe side and provide a patch to keep track of the upstream OSS version.
(In reply to Xander from comment #3) (In reply to Boris Korzun from comment #2) Thank you for the detail, so to be explicit and clarify: - The OSS versions did not receive any security related changes to their codebases? - The inclusion of "Fixes CVE-2022-29170" in the OSS version release notes is incorrect? In particular, can we point to any commit logs and/or issues for CVE-2022-29170 so we have details of the branches they were applied to, or the absence of said merges to OSS branches?
(In reply to Kubilay Kocak from comment #4) - The OSS versions did not receive any security related changes to it. But codebase is common for OSS and Enterprise. - The inclusion of "Fixes CVE-2022-29170" in the codebase release notes is correct. I think, it isn't needed to commit new version to www/grafana8.
Since www/grafana7 has been expired this ticket can be closed