From 7028791b45b27aeb355144ff3c381ea2a3bb8cfb Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 12 2021 10:37:15 +0000 Subject: import grafana-7.3.6-3.el8_4 --- diff --git a/SOURCES/007-CVE-2021-39226.patch b/SOURCES/007-CVE-2021-39226.patch new file mode 100644 index 0000000..8202e1a --- /dev/null +++ b/SOURCES/007-CVE-2021-39226.patch @@ -0,0 +1,55 @@ +diff --git a/pkg/api/dashboard_snapshot.go b/pkg/api/dashboard_snapshot.go +index d657b98809..a59865cc22 100644 +--- a/pkg/api/dashboard_snapshot.go ++++ b/pkg/api/dashboard_snapshot.go +@@ -138,6 +138,9 @@ func CreateDashboardSnapshot(c *models.ReqContext, cmd models.CreateDashboardSna + // GET /api/snapshots/:key + func GetDashboardSnapshot(c *models.ReqContext) Response { + key := c.Params(":key") ++ if len(key) == 0 { ++ return Error(404, "Snapshot not found", nil) ++ } + query := &models.GetDashboardSnapshotQuery{Key: key} + + err := bus.Dispatch(query) +@@ -202,6 +205,9 @@ func deleteExternalDashboardSnapshot(externalUrl string) error { + // GET /api/snapshots-delete/:deleteKey + func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) Response { + key := c.Params(":deleteKey") ++ if len(key) == 0 { ++ return Error(404, "Snapshot not found", nil) ++ } + + query := &models.GetDashboardSnapshotQuery{DeleteKey: key} + +@@ -229,6 +235,9 @@ func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) Response { + // DELETE /api/snapshots/:key + func DeleteDashboardSnapshot(c *models.ReqContext) Response { + key := c.Params(":key") ++ if len(key) == 0 { ++ return Error(404, "Snapshot not found", nil) ++ } + + query := &models.GetDashboardSnapshotQuery{Key: key} + +diff --git a/vendor/gopkg.in/macaron.v1/router.go b/vendor/gopkg.in/macaron.v1/router.go +index df593d669a..46cb0c160f 100644 +--- a/vendor/gopkg.in/macaron.v1/router.go ++++ b/vendor/gopkg.in/macaron.v1/router.go +@@ -289,10 +289,12 @@ func (r *Router) SetHandlerWrapper(f func(Handler) Handler) { + func (r *Router) ServeHTTP(rw http.ResponseWriter, req *http.Request) { + if t, ok := r.routers[req.Method]; ok { + // Fast match for static routes +- leaf := r.getLeaf(req.Method, req.URL.Path) +- if leaf != nil { +- leaf.handle(rw, req, nil) +- return ++ if !strings.ContainsAny(req.URL.Path, ":*") { ++ leaf := r.getLeaf(req.Method, req.URL.Path) ++ if leaf != nil { ++ leaf.handle(rw, req, nil) ++ return ++ } + } + + h, p, ok := t.Match(req.URL.EscapedPath()) diff --git a/SOURCES/008-CVE-2021-27358.patch b/SOURCES/008-CVE-2021-27358.patch new file mode 100644 index 0000000..07e9a9f --- /dev/null +++ b/SOURCES/008-CVE-2021-27358.patch @@ -0,0 +1,17 @@ +diff --git a/pkg/middleware/auth.go b/pkg/middleware/auth.go +index c44d7dd9a7..4989ea0e1c 100644 +--- a/pkg/middleware/auth.go ++++ b/pkg/middleware/auth.go +@@ -141,9 +141,9 @@ func SnapshotPublicModeOrSignedIn() macaron.Handler { + return + } + +- _, err := c.Invoke(ReqSignedIn) +- if err != nil { +- c.JsonApiErr(500, "Failed to invoke required signed in middleware", err) ++ if !c.IsSignedIn { ++ notAuthorized(c) ++ return + } + } + } diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec index 527d0ff..0acde69 100644 --- a/SPECS/grafana.spec +++ b/SPECS/grafana.spec @@ -27,7 +27,7 @@ end} Name: grafana Version: 7.3.6 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Metrics dashboard and graph editor License: ASL 2.0 URL: https://grafana.org @@ -71,6 +71,8 @@ Patch4: 004-skip-x86-goldenfiles-tests.patch Patch5: 005-pin-yarn-version.patch Patch6: 006-remove-saml-dependency.patch +Patch7: 007-CVE-2021-39226.patch +Patch8: 008-CVE-2021-27358.patch # Intersection of go_arches and nodejs_arches ExclusiveArch: %{grafana_arches} @@ -452,6 +454,8 @@ rm -r plugins-bundled %endif %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 # Set up build subdirs and links mkdir -p %{_builddir}/src/github.com/grafana @@ -627,6 +631,10 @@ export TZ=GMT %changelog +* Wed Oct 06 2021 Andreas Gerstmayr 7.3.6-3 +- resolve CVE-2021-39226 +- resolve CVE-2021-27358 + * Fri Jan 22 2021 Andreas Gerstmayr 7.3.6-2 - change working dir to $GRAFANA_HOME in grafana-cli wrapper (fixes Red Hat BZ #1916083) - add pcp-redis-datasource to allow_loading_unsigned_plugins config option