Accepting request 1251836 from home:witekbedyk:branches:server:monitoring

- CVE-2025-27144: Fix Go JOSE's Parsing Vulnerability (bsc#1237671) * Add 0003-Bump-go-jose.patch OBS-URL: https://build.opensuse.org/request/show/1251836 OBS-URL: https://build.opensuse.org/package/show/server:monitoring/grafana?expand=0&rev=159
2025-03-10 16:03:35 +00:00
parent 260cce0686
commit af7737579f
5 changed files with 39 additions and 2 deletions
--- a/0003-Bump-go-jose.patch
+++ b/0003-Bump-go-jose.patch
@@ -0,0 +1,28 @@
+diff --git a/go.mod b/go.mod
+index c8b9d1ba5eb..48dbe231802 100644
+--- a/go.mod
+++ b/go.mod
+@@ -41,7 +41,7 @@ require (
+ 	github.com/fatih/color v1.17.0 // @grafana/grafana-backend-group
+ 	github.com/fullstorydev/grpchan v1.1.1 // @grafana/grafana-backend-group
+ 	github.com/gchaincl/sqlhooks v1.3.0 // @grafana/grafana-search-and-storage
+-	github.com/go-jose/go-jose/v3 v3.0.3 // @grafana/identity-access-team
+	github.com/go-jose/go-jose/v3 v3.0.4 // @grafana/identity-access-team
+ 	github.com/go-kit/log v0.2.1 //  @grafana/grafana-backend-group
+ 	github.com/go-ldap/ldap/v3 v3.4.4 // @grafana/identity-access-team
+ 	github.com/go-openapi/loads v0.22.0 // @grafana/alerting-backend
+diff --git a/go.sum b/go.sum
+index 41643ba4ce9..d1bf6924732 100644
+--- a/go.sum
+++ b/go.sum
+@@ -1146,8 +1146,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
+ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+ github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
+ github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
+-github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
+-github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
+github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+ github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
--- a/1
+++ b/1
@@ -26,6 +26,7 @@ tar:
 	patch --no-backup-if-mismatch -p1 -i ../../0001-Add-source-code-reference.patch && \
 	# End patches section \
 	# Patches for Go modules go after here \
+	patch --no-backup-if-mismatch -p1 -i ../../0003-Bump-go-jose.patch && \
 	# End of Go modules patches section \
 	go mod download && \
 	go mod verify && \
--- a/grafana.changes
+++ b/grafana.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Mar 10 11:27:53 UTC 2025 - Witek Bedyk <witold.bedyk@suse.com>
+
+- CVE-2025-27144: Fix Go JOSE's Parsing Vulnerability (bsc#1237671)
+  * Add 0003-Bump-go-jose.patch
+
 -------------------------------------------------------------------
 Sun Mar  9 23:18:51 UTC 2025 - Eric Torres <eric.torres@its-et.me>

--- a/grafana.spec
+++ b/grafana.spec
@@ -37,6 +37,8 @@ Source3:        README
 Source4:        Makefile
 Source5:        0001-Add-source-code-reference.patch
 Patch2:         0002-Use-bash-instead-of-env.patch
+# CVE-2025-27144
+Patch3:         0003-Bump-go-jose.patch
 BuildRequires:  fdupes
 BuildRequires:  git-core
 BuildRequires:  wire
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:1df707aa3ca4d46ef0ed4fcc87199c00bf832cb7f1df2b997245d03b1b2e652f
-size 78354188
+oid sha256:da562a6c4e845a8cfa28c6ab934d4a7d4c9d43dfe43f94a01e57a049dd1d441a
+size 78302714