diff --git a/0002-Update-exporter-toolkit-to-version-0.7.3.patch b/0002-Update-exporter-toolkit-to-version-0.7.3.patch new file mode 100644 index 0000000..0d78286 --- /dev/null +++ b/0002-Update-exporter-toolkit-to-version-0.7.3.patch @@ -0,0 +1,23 @@ +From: Witek Bedyk +Subject: [PATCH] Update exporter-toolkit to version 0.7.3 + +--- + go.mod | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/go.mod b/go.mod +index 2572cebe7e..91829bc695 100644 +--- a/go.mod ++++ b/go.mod +@@ -218,7 +218,7 @@ require ( + github.com/opentracing-contrib/go-stdlib v1.0.0 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/prometheus/common/sigv4 v0.1.0 // indirect +- github.com/prometheus/exporter-toolkit v0.7.0 // indirect ++ github.com/prometheus/exporter-toolkit v0.7.3 // indirect + github.com/prometheus/node_exporter v1.0.0-rc.0.0.20200428091818-01054558c289 // indirect + github.com/prometheus/procfs v0.7.3 // indirect + github.com/protocolbuffers/txtpbfmt v0.0.0-20201118171849-f6a6b3f636fc // indirect +-- +2.35.3 + diff --git a/Makefile b/Makefile index fd09428..7523339 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,12 @@ tar: cd $$basename && \ # Patches for the JS frontend go after here \ patch --no-backup-if-mismatch -p1 -i ../../0001-Add-source-code-reference.patch && \ + patch --no-backup-if-mismatch -p1 -i ../../0002-Update-exporter-toolkit-to-version-0.7.3.patch && \ # End patches section \ + go mod download && \ + go mod verify && \ + go mod vendor && \ + tar --format=posix -cf ../../vendor.tar vendor && \ # avoid ".git can't be found" \ git init && \ # avoid "FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory" \ @@ -36,4 +41,5 @@ tar: tar -rf ../$$tar $$basename/public && \ cd .. && \ gzip $$tar && \ + gzip -f vendor.tar && \ rm -rf $$tmpdir diff --git a/_service b/_service index de47b09..e53f290 100644 --- a/_service +++ b/_service @@ -15,5 +15,4 @@ grafana - diff --git a/grafana-8.5.20.tar.gz b/grafana-8.5.20.tar.gz index 46264b8..64ffe23 100644 --- a/grafana-8.5.20.tar.gz +++ b/grafana-8.5.20.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:5250d3fa4a312d88dd1f5e2554043f70e403e6adaee92ecc40307d7f9ecf9243 -size 51575837 +oid sha256:6834e2b3b963b145af8f908d235c0845e72e8d4af2f04bde6c7cd8641a10cf38 +size 72011745 diff --git a/grafana.changes b/grafana.changes index d2d07a0..8053873 100644 --- a/grafana.changes +++ b/grafana.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Feb 15 08:35:28 UTC 2023 - Witek Bedyk + +- Add 0002-Update-exporter-toolkit-to-version-0.7.3.patch + (bsc#1208065, CVE-2022-46146) +- Require Go 1.19 or newer + ------------------------------------------------------------------- Mon Feb 06 09:12:33 UTC 2023 - witold.bedyk@suse.com diff --git a/grafana.spec b/grafana.spec index e2b3a56..f28b182 100644 --- a/grafana.spec +++ b/grafana.spec @@ -36,11 +36,13 @@ Source3: README # Makefile to automate build process Source4: Makefile Source5: 0001-Add-source-code-reference.patch +# CVE-2022-46146 bsc#1208065 +Patch0: 0002-Update-exporter-toolkit-to-version-0.7.3.patch BuildRequires: fdupes BuildRequires: git-core BuildRequires: golang-packaging BuildRequires: wire -BuildRequires: golang(API) >= 1.17 +BuildRequires: golang(API) >= 1.19 Requires(post): %fillup_prereq Requires: group(grafana) Requires: user(grafana) @@ -61,6 +63,7 @@ dashboards and data with teams. %prep %setup -q -n grafana-%{version} %setup -q -T -D -a 1 -n grafana-%{version} +%patch0 -p1 %build %goprep github.com/grafana/grafana diff --git a/vendor.tar.gz b/vendor.tar.gz index abfa9a4..15a5d27 100644 --- a/vendor.tar.gz +++ b/vendor.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:e1085edc2bb688d98424321e77970b4beaa211a54a4242b04765df7f10c5c30e -size 19677383 +oid sha256:a418f8ec6a2ac62838fe0a2707b4e547136ba2adac93fd06d2f35acdc012cc8f +size 20406957