Bug 271893 - www/grafana{8,9}: Update to 8.5.26 and 9.5.3 (Fixes security vulnerabilities)
Summary: www/grafana{8,9}: Update to 8.5.26 and 9.5.3 (Fixes security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Fernando Apesteguía
URL: https://grafana.com/blog/2023/06/06/g...
Keywords: security
Depends on:
Blocks:
 
Reported: 2023-06-07 21:01 UTC by Boris Korzun
Modified: 2023-06-08 12:22 UTC (History)
2 users (show)

See Also:
fernape: merge-quarterly+

Attachments
grafana8.patch (1.94 KB, patch)
2023-06-07 21:01 UTC, Boris Korzun 		drtr0jan: maintainer-approval+
Details | Diff
grafana9.patch (14.64 KB, patch)
2023-06-07 21:03 UTC, Boris Korzun 		drtr0jan: maintainer-approval+
Details | Diff
vuxml.patch (3.39 KB, patch)
2023-06-07 21:06 UTC, Boris Korzun 		drtr0jan: maintainer-approval? (ports-secteam)
 Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Boris Korzun 2023-06-07 21:01:57 UTC 
Created attachment 242670 [details]
grafana8.patch

Update to 8.5.26
Comment 1 Boris Korzun 2023-06-07 21:03:44 UTC 
Created attachment 242671 [details]
grafana9.patch

Update to 9.5.3
Comment 2 Boris Korzun 2023-06-07 21:06:33 UTC 
Created attachment 242672 [details]
vuxml.patch

vuxml:
* CVE-2023-2183 - Broken access control: viewer can send test alerts ( https://grafana.com/security/security-advisories/cve-2023-2183/ )
* CVE-2023-2801 - Grafana DS proxy race condition ( https://grafana.com/security/security-advisories/cve-2023-2801/ )
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-06-08 07:10:32 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=78a5f3b644535eb41444b28391419a3c405d9b37

commit 78a5f3b644535eb41444b28391419a3c405d9b37
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-06-08 06:55:34 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-06-08 06:55:34 +0000

    security/vuxml: Add www/grafana{8,9} vulnerabilities

    * CVE-2023-2183: with Base Score 4.1 (MEDIUM)
    * CVE-2023-2801: with Base Score 7.5 (HIGH)

    PR:             271893
    Reported by:    Boris Korzun <drtr0jan@yandex.ru>

 security/vuxml/vuln/2023.xml | 84 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-06-08 12:05:25 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5e1375eb67faca515b66fdfd599540c68dd321a8

commit 5e1375eb67faca515b66fdfd599540c68dd321a8
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-06-08 06:51:50 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-06-08 11:59:17 +0000

    www/grafana8: Update to 8.5.26

    ChangeLog:
    https://grafana.com/blog/2023/06/06/grafana-security-release-new-grafana-versions-with-security-fixes-for-cve-2023-2183-and-cve-2023-2801/

    PR:             271893
    Reported by:    drtr0jan@yandex.ru
    MFH:            2023Q2 (security fixes)
    Security:       CVE-2023-2183 CVE-2023-2801

 www/grafana8/Makefile |  4 ++--
 www/grafana8/distinfo | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2023-06-08 12:05:26 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c81d6ad65de12f84246fec06691c820a416c37e7

commit c81d6ad65de12f84246fec06691c820a416c37e7
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-06-08 06:54:09 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-06-08 11:59:47 +0000

    www/grafana9: Update to 9.5.3

    ChangeLog:
    https://grafana.com/blog/2023/06/06/grafana-security-release-new-grafana-versions-with-security-fixes-for-cve-2023-2183-and-cve-2023-2801/

    PR:             271893
    Reported by:    drtr0jan@yandex.ru
    MFH:            2023Q2 (security fixes)
    Security:       CVE-2023-2183 CVE-2023-2801

 www/grafana9/Makefile  |  4 +--
 www/grafana9/distinfo  | 14 ++++-----
 www/grafana9/pkg-plist | 85 +++++++++++++++++++++++++-------------------------
 3 files changed, 52 insertions(+), 51 deletions(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2023-06-08 12:08:28 UTC 
A commit in branch 2023Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=087d92ae3bd5ee2d89daddcce7de2b296802a1b9

commit 087d92ae3bd5ee2d89daddcce7de2b296802a1b9
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-06-08 06:51:50 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-06-08 12:02:09 +0000

    www/grafana8: Update to 8.5.26

    ChangeLog:
    https://grafana.com/blog/2023/06/06/grafana-security-release-new-grafana-versions-with-security-fixes-for-cve-2023-2183-and-cve-2023-2801/

    PR:             271893
    Reported by:    drtr0jan@yandex.ru
    MFH:            2023Q2 (security fixes)
    Security:       CVE-2023-2183 CVE-2023-2801

    (cherry picked from commit 5e1375eb67faca515b66fdfd599540c68dd321a8)

 www/grafana8/Makefile |  4 ++--
 www/grafana8/distinfo | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)
Comment 7 commit-hook freebsd_committer freebsd_triage 2023-06-08 12:21:30 UTC 
A commit in branch 2023Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c0d5fa9fdfcc0d07e58996da5faf9a30e92d7472

commit c0d5fa9fdfcc0d07e58996da5faf9a30e92d7472
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2023-06-08 06:54:09 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-06-08 12:15:29 +0000

    www/grafana9: Update to 9.5.3

    ChangeLog:
    https://grafana.com/blog/2023/06/06/grafana-security-release-new-grafana-versions-with-security-fixes-for-cve-2023-2183-and-cve-2023-2801/

    PR:             271893
    Reported by:    drtr0jan@yandex.ru
    MFH:            2023Q2 (security fixes)
    Security:       CVE-2023-2183 CVE-2023-2801

    (cherry picked from commit c81d6ad65de12f84246fec06691c820a416c37e7)

 www/grafana9/Makefile  |    6 +-
 www/grafana9/distinfo  |   14 +-
 www/grafana9/pkg-plist | 1171 +++++++++++++++++++++++++-----------------------
 3 files changed, 630 insertions(+), 561 deletions(-)
Comment 8 Fernando Apesteguía freebsd_committer freebsd_triage 2023-06-08 12:22:06 UTC 
Committed and merged to 2023Q2.

Thanks for taking the time to fill the vuxml entry!