Accepting request 1251843 from server:monitoring

OBS-URL: https://build.opensuse.org/request/show/1251843 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grafana?expand=0&rev=70
2025-03-10 19:19:15 +00:00
parent 57a2c0ec59 af7737579f
commit 88851a5e27
8 changed files with 65 additions and 8 deletions
--- a/0003-Bump-go-jose.patch
+++ b/0003-Bump-go-jose.patch
@@ -0,0 +1,28 @@
+diff --git a/go.mod b/go.mod
+index c8b9d1ba5eb..48dbe231802 100644
+--- a/go.mod
+++ b/go.mod
+@@ -41,7 +41,7 @@ require (
+ 	github.com/fatih/color v1.17.0 // @grafana/grafana-backend-group
+ 	github.com/fullstorydev/grpchan v1.1.1 // @grafana/grafana-backend-group
+ 	github.com/gchaincl/sqlhooks v1.3.0 // @grafana/grafana-search-and-storage
+-	github.com/go-jose/go-jose/v3 v3.0.3 // @grafana/identity-access-team
+	github.com/go-jose/go-jose/v3 v3.0.4 // @grafana/identity-access-team
+ 	github.com/go-kit/log v0.2.1 //  @grafana/grafana-backend-group
+ 	github.com/go-ldap/ldap/v3 v3.4.4 // @grafana/identity-access-team
+ 	github.com/go-openapi/loads v0.22.0 // @grafana/alerting-backend
+diff --git a/go.sum b/go.sum
+index 41643ba4ce9..d1bf6924732 100644
+--- a/go.sum
+++ b/go.sum
+@@ -1146,8 +1146,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
+ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+ github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
+ github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
+-github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
+-github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
+github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+ github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
--- a/1
+++ b/1
@@ -26,6 +26,7 @@ tar:
 	patch --no-backup-if-mismatch -p1 -i ../../0001-Add-source-code-reference.patch && \
 	# End patches section \
 	# Patches for Go modules go after here \
+	patch --no-backup-if-mismatch -p1 -i ../../0003-Bump-go-jose.patch && \
 	# End of Go modules patches section \
 	go mod download && \
 	go mod verify && \
--- a/2
+++ b/2
@@ -5,7 +5,7 @@
    <param name="exclude">.git</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="versionrewrite-pattern">v(.*)</param>
-    <param name="revision">v11.5.1</param>
+    <param name="revision">v11.5.2</param>
  </service>
  <service name="recompress" mode="manual">
    <param name="compression">gz</param>
--- a/grafana-11.5.1.tar.gz
+++ b/grafana-11.5.1.tar.gz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:53ae77276a3083a795a312b241ba6097e9acbe6ea15fed0a1a105b31b1c871eb
-size 97125226
--- a/grafana-11.5.2.tar.gz
+++ b/grafana-11.5.2.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:84a224b4a23137d47e71ce9e0cbfcf4cf9d21aeb09978a21f4400b19707e7904
+size 97165183
--- a/grafana.changes
+++ b/grafana.changes
@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Mon Mar 10 11:27:53 UTC 2025 - Witek Bedyk <witold.bedyk@suse.com>
+
+- CVE-2025-27144: Fix Go JOSE's Parsing Vulnerability (bsc#1237671)
+  * Add 0003-Bump-go-jose.patch
+
+-------------------------------------------------------------------
+Sun Mar  9 23:18:51 UTC 2025 - Eric Torres <eric.torres@its-et.me>
+
+- Update to version 11.5.2:
+  Features and Enhancements
+  * TransformationFilter: Include transformation outputs in transformation filtering options
+  * grafana-ui: Update InlineField error prop type to React.ReactNode
+  Bug fixes:
+  * Alerting: Allow specifying uid for new rules added to groups
+  * Alerting: Allow specifying uid for new rules added to groups
+  * Alerting: Call RLock() before reading sendAlertsTo map
+  * Auth: Fix redirect with JWT auth URL login
+  * AuthN: Refetch user on "ErrUserAlreadyExists"
+  * Azure: Correctly set application insights resource values
+  * CodeEditor: Fix cursor alignment
+  * DashboardList: Throttle the re-renders
+  * Dashboards: Bring back scripted dashboards
+  * Plugin Metrics: Eliminate data race in plugin metrics middleware
+  * RBAC: Don't check folder access if annotationPermissionUpdate FT is enabled
+
 -------------------------------------------------------------------
 Thu Feb 20 10:45:49 UTC 2025 - Witek Bedyk <witold.bedyk@suse.com>

--- a/grafana.spec
+++ b/grafana.spec
@@ -22,7 +22,7 @@
 %endif

 Name:           grafana
-Version:        11.5.1
+Version:        11.5.2
 Release:        0
 Summary:        The open-source platform for monitoring and observability
 License:        AGPL-3.0-only
@@ -37,10 +37,12 @@ Source3:        README
 Source4:        Makefile
 Source5:        0001-Add-source-code-reference.patch
 Patch2:         0002-Use-bash-instead-of-env.patch
+# CVE-2025-27144
+Patch3:         0003-Bump-go-jose.patch
 BuildRequires:  fdupes
 BuildRequires:  git-core
 BuildRequires:  wire
-BuildRequires:  golang(API) >= 1.23.5
+BuildRequires:  golang(API) >= 1.23.7
 Requires(post): %fillup_prereq
 Requires:       group(grafana)
 Requires:       user(grafana)
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:3a43f24d29438de3f0d27bf2d5c22dd5b0c4d09b51150823b2c71d71e48a67ee
-size 78306890
+oid sha256:da562a6c4e845a8cfa28c6ab934d4a7d4c9d43dfe43f94a01e57a049dd1d441a
+size 78302714