269903 – www/grafana{8,9}: Update to 8.5.21 and 9.3.8 (Fixes security vulnerabilities)

Bug 269903 - www/grafana{8,9}: Update to 8.5.21 and 9.3.8 (Fixes security vulnerabilities)

Summary: www/grafana{8,9}: Update to 8.5.21 and 9.3.8 (Fixes security vulnerabilities)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Fernando Apesteguía

URL:	https://grafana.com/blog/2023/02/28/g...
Keywords:	security

Depends on:
Blocks:

Reported:	2023-03-01 19:05 UTC by Boris Korzun
Modified:	2023-03-03 12:19 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	fluffy: merge-quarterly+

Attachments
grafana8.patch (2.28 KB, patch) 2023-03-01 19:05 UTC, Boris Korzun	drtr0jan: maintainer-approval+	Details \| Diff
grafana9.patch (13.44 KB, patch) 2023-03-01 19:08 UTC, Boris Korzun	drtr0jan: maintainer-approval+	Details \| Diff
vuxml.patch (5.38 KB, patch) 2023-03-01 19:13 UTC, Boris Korzun	drtr0jan: maintainer-approval? (ports-secteam)	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Boris Korzun 2023-03-01 19:05:50 UTC

Created attachment 240515 [details]
grafana8.patch

Update to 8.5.21

Comment 1 Boris Korzun 2023-03-01 19:08:01 UTC

Created attachment 240516 [details]
grafana9.patch

Update to 9.3.8

Comment 2 Boris Korzun 2023-03-01 19:13:30 UTC

Created attachment 240517 [details]
vuxml.patch

vuxml:
* CVE-2023-0507 - Stored XSS in geomap panel plugin via attribution (High)
* CVE-2023-0594 - Stored XSS in TraceView panel (High)
* CVE-2023-22462 - Stored XSS in text panel plugin

https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/

Comment 3 commit-hook freebsd_committer

2023-03-03 10:52:00 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=462e31c4aa53dd4a69f0c3611daeb689d6096c30

commit 462e31c4aa53dd4a69f0c3611daeb689d6096c30
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-03-03 08:55:37 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-03-03 10:46:53 +0000

    security/vuxml: document grafana{8,9} CVEs

     * CVE-2023-0507 - Stored XSS in geomap panel plugin via attribution (High)
     * CVE-2023-0594 - Stored XSS in TraceView panel (High)
     * CVE-2023-22462 - Stored XSS in text panel plugin

    PR:             269903
    Reported by:    drtr0jan@yandex.ru

 security/vuxml/vuln/2023.xml | 126 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 126 insertions(+)

Comment 4 commit-hook freebsd_committer

2023-03-03 12:10:12 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5877f73ba26bbcb03700ab3d7d3943e9d0e0f3f3

commit 5877f73ba26bbcb03700ab3d7d3943e9d0e0f3f3
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-03-03 08:49:32 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-03-03 12:05:13 +0000

    www/grafana8: Update to 8.5.21 (Fixes security vulnerabilities)

    ChangeLog:
    https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/

    PR:             269903
    Reported by:    drtr0jan@yandex.ru (maintainer)
    MFH:            2023Q1 (security fix)
    Security:       CVE-2023-0594 CVE-2023-0507 CVE-2023-22462

 www/grafana8/Makefile |  7 +++----
 www/grafana8/distinfo | 10 +++++-----
 2 files changed, 8 insertions(+), 9 deletions(-)

Comment 5 commit-hook freebsd_committer

2023-03-03 12:14:14 UTC

A commit in branch 2023Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d5c2f5843729aa128abc9f4a98688a63d89b6762

commit d5c2f5843729aa128abc9f4a98688a63d89b6762
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-03-03 08:49:32 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-03-03 12:09:17 +0000

    www/grafana8: Update to 8.5.21 (Fixes security vulnerabilities)

    ChangeLog:
    https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/

    PR:             269903
    Reported by:    drtr0jan@yandex.ru (maintainer)
    MFH:            2023Q1 (security fix)
    Security:       CVE-2023-0594 CVE-2023-0507 CVE-2023-22462

    (cherry picked from commit 5877f73ba26bbcb03700ab3d7d3943e9d0e0f3f3)

 www/grafana8/Makefile |  7 +++----
 www/grafana8/distinfo | 10 +++++-----
 2 files changed, 8 insertions(+), 9 deletions(-)

Comment 6 commit-hook freebsd_committer

2023-03-03 12:16:16 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f0842e53c88bc6269b2318aa46ba90d02e2dc236

commit f0842e53c88bc6269b2318aa46ba90d02e2dc236
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-03-03 08:53:21 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-03-03 12:10:57 +0000

    www/grafana9: Update to 9.3.8 (Fixes security vulnerabilities)

    ChangeLog:
    https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/

    PR:             269903
    Reported by:    drtr0jan@yandex.ru (maintainer)
    MFH:            2023Q1 (security fix)
    Security:       CVE-2023-0594 CVE-2023-0507 CVE-2023-22462

 www/grafana9/Makefile  |  8 ++---
 www/grafana9/distinfo  | 14 ++++-----
 www/grafana9/pkg-plist | 81 +++++++++++++++++++++++++-------------------------
 3 files changed, 52 insertions(+), 51 deletions(-)

Comment 7 commit-hook freebsd_committer

2023-03-03 12:18:17 UTC

A commit in branch 2023Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ef150bc7260870482ab4087c455a339166ac3c9c

commit ef150bc7260870482ab4087c455a339166ac3c9c
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-03-03 08:53:21 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-03-03 12:13:07 +0000

    www/grafana9: Update to 9.3.8 (Fixes security vulnerabilities)

    ChangeLog:
    https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/

    PR:             269903
    Reported by:    drtr0jan@yandex.ru (maintainer)
    MFH:            2023Q1 (security fix)
    Security:       CVE-2023-0594 CVE-2023-0507 CVE-2023-22462

    (cherry picked from commit f0842e53c88bc6269b2318aa46ba90d02e2dc236)

 www/grafana9/Makefile  |  8 ++---
 www/grafana9/distinfo  | 14 ++++-----
 www/grafana9/pkg-plist | 81 +++++++++++++++++++++++++-------------------------
 3 files changed, 52 insertions(+), 51 deletions(-)

Comment 8 Fernando Apesteguía freebsd_committer

2023-03-03 12:19:56 UTC

Committed and merged to 2023Q1.

Thank you very much for the vuxml entry!