Bug 269903 - www/grafana{8,9}: Update to 8.5.21 and 9.3.8 (Fixes security vulnerabilities)
Summary: www/grafana{8,9}: Update to 8.5.21 and 9.3.8 (Fixes security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Fernando Apesteguía
URL: https://grafana.com/blog/2023/02/28/g...
Keywords: security
Depends on:
Blocks:
 
Reported: 2023-03-01 19:05 UTC by Boris Korzun
Modified: 2023-03-03 12:19 UTC (History)
3 users (show)

See Also:
fluffy: merge-quarterly+


Attachments
grafana8.patch (2.28 KB, patch)
2023-03-01 19:05 UTC, Boris Korzun
drtr0jan: maintainer-approval+
Details | Diff
grafana9.patch (13.44 KB, patch)
2023-03-01 19:08 UTC, Boris Korzun
drtr0jan: maintainer-approval+
Details | Diff
vuxml.patch (5.38 KB, patch)
2023-03-01 19:13 UTC, Boris Korzun
drtr0jan: maintainer-approval? (ports-secteam)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Boris Korzun 2023-03-01 19:05:50 UTC
Created attachment 240515 [details]
grafana8.patch

Update to 8.5.21
Comment 1 Boris Korzun 2023-03-01 19:08:01 UTC
Created attachment 240516 [details]
grafana9.patch

Update to 9.3.8
Comment 2 Boris Korzun 2023-03-01 19:13:30 UTC
Created attachment 240517 [details]
vuxml.patch

vuxml:
* CVE-2023-0507 - Stored XSS in geomap panel plugin via attribution (High)
* CVE-2023-0594 - Stored XSS in TraceView panel (High)
* CVE-2023-22462 - Stored XSS in text panel plugin

https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-03-03 10:52:00 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=462e31c4aa53dd4a69f0c3611daeb689d6096c30

commit 462e31c4aa53dd4a69f0c3611daeb689d6096c30
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-03-03 08:55:37 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-03-03 10:46:53 +0000

    security/vuxml: document grafana{8,9} CVEs

     * CVE-2023-0507 - Stored XSS in geomap panel plugin via attribution (High)
     * CVE-2023-0594 - Stored XSS in TraceView panel (High)
     * CVE-2023-22462 - Stored XSS in text panel plugin

    PR:             269903
    Reported by:    drtr0jan@yandex.ru

 security/vuxml/vuln/2023.xml | 126 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 126 insertions(+)
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-03-03 12:10:12 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5877f73ba26bbcb03700ab3d7d3943e9d0e0f3f3

commit 5877f73ba26bbcb03700ab3d7d3943e9d0e0f3f3
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-03-03 08:49:32 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-03-03 12:05:13 +0000

    www/grafana8: Update to 8.5.21 (Fixes security vulnerabilities)

    ChangeLog:
    https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/

    PR:             269903
    Reported by:    drtr0jan@yandex.ru (maintainer)
    MFH:            2023Q1 (security fix)
    Security:       CVE-2023-0594 CVE-2023-0507 CVE-2023-22462

 www/grafana8/Makefile |  7 +++----
 www/grafana8/distinfo | 10 +++++-----
 2 files changed, 8 insertions(+), 9 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2023-03-03 12:14:14 UTC
A commit in branch 2023Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d5c2f5843729aa128abc9f4a98688a63d89b6762

commit d5c2f5843729aa128abc9f4a98688a63d89b6762
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-03-03 08:49:32 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-03-03 12:09:17 +0000

    www/grafana8: Update to 8.5.21 (Fixes security vulnerabilities)

    ChangeLog:
    https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/

    PR:             269903
    Reported by:    drtr0jan@yandex.ru (maintainer)
    MFH:            2023Q1 (security fix)
    Security:       CVE-2023-0594 CVE-2023-0507 CVE-2023-22462

    (cherry picked from commit 5877f73ba26bbcb03700ab3d7d3943e9d0e0f3f3)

 www/grafana8/Makefile |  7 +++----
 www/grafana8/distinfo | 10 +++++-----
 2 files changed, 8 insertions(+), 9 deletions(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2023-03-03 12:16:16 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f0842e53c88bc6269b2318aa46ba90d02e2dc236

commit f0842e53c88bc6269b2318aa46ba90d02e2dc236
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-03-03 08:53:21 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-03-03 12:10:57 +0000

    www/grafana9: Update to 9.3.8 (Fixes security vulnerabilities)

    ChangeLog:
    https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/

    PR:             269903
    Reported by:    drtr0jan@yandex.ru (maintainer)
    MFH:            2023Q1 (security fix)
    Security:       CVE-2023-0594 CVE-2023-0507 CVE-2023-22462

 www/grafana9/Makefile  |  8 ++---
 www/grafana9/distinfo  | 14 ++++-----
 www/grafana9/pkg-plist | 81 +++++++++++++++++++++++++-------------------------
 3 files changed, 52 insertions(+), 51 deletions(-)
Comment 7 commit-hook freebsd_committer freebsd_triage 2023-03-03 12:18:17 UTC
A commit in branch 2023Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ef150bc7260870482ab4087c455a339166ac3c9c

commit ef150bc7260870482ab4087c455a339166ac3c9c
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-03-03 08:53:21 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-03-03 12:13:07 +0000

    www/grafana9: Update to 9.3.8 (Fixes security vulnerabilities)

    ChangeLog:
    https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/

    PR:             269903
    Reported by:    drtr0jan@yandex.ru (maintainer)
    MFH:            2023Q1 (security fix)
    Security:       CVE-2023-0594 CVE-2023-0507 CVE-2023-22462

    (cherry picked from commit f0842e53c88bc6269b2318aa46ba90d02e2dc236)

 www/grafana9/Makefile  |  8 ++---
 www/grafana9/distinfo  | 14 ++++-----
 www/grafana9/pkg-plist | 81 +++++++++++++++++++++++++-------------------------
 3 files changed, 52 insertions(+), 51 deletions(-)
Comment 8 Fernando Apesteguía freebsd_committer freebsd_triage 2023-03-03 12:19:56 UTC
Committed and merged to 2023Q1.

Thank you very much for the vuxml entry!