Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package grafana for openSUSE:Factory checked in at 2026-04-22 17:02:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grafana (Old) and /work/SRC/openSUSE:Factory/.grafana.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grafana" Wed Apr 22 17:02:11 2026 rev:82 rq:1348753 version:11.6.14+security01 Changes: -------- --- /work/SRC/openSUSE:Factory/grafana/grafana.changes 2026-01-19 18:43:21.543101811 +0100 +++ /work/SRC/openSUSE:Factory/.grafana.new.11940/grafana.changes 2026-04-22 17:02:45.735832124 +0200 @@ -1,0 +2,80 @@ +Wed Apr 22 08:05:07 UTC 2026 - Witek Bedyk <[email protected]> + +- Add patch: + * 0002-Drop-zanzana.patch +- Rename patches: + * 0002-Use-bash-instead-of-env.patch -> + 0003-Use-bash-instead-of-env.patch + * 0003-Bump-expr-lang.patch -> 0004-Bump-expr-lang.patch +- Update patch: + * 0004-Bump-expr-lang.patch + +- CVE-2026-26958: Bump filippo.io/edwards25519 to version 1.1.1 + (bsc#1258595) + * Add 0005-Bump-edwards25519.patch +- CVE-2026-21725: Fix missing UID when deleting datasource by name + (bsc#1258873) + * Add 0006-Fix-CVE-2026-21725.patch +- Rebase 0002-Drop-zanzana.patch + +- Update to version 11.6.14+security-01: + Security: + * CVE-2026-33375: Fix denial of Service via out-of-memory + exhaustion in MSSQL data source plugin (bsc#1260881) + +- Update to version 11.6.14: + Security: + * CVE-2026-27876: Fix remote arbitrary code execution via chained + SQL Expressions (bsc#1261025) + * CVE-2026-27877: Fix information disclosure of data-source + passwords via public dashboards (bsc#1261026) + * CVE-2026-28375: Fix denial of service via testdata data-source + (bsc#1261029) + * CVE-2026-27879: Fix denial of service via resample query + (bsc#1261027) + * CVE-2026-33186: Fix authorization bypass due to improper + validation of the HTTP/2 :path pseudo-header (bsc#1260263) + * CVE-2026-21724: Fix authorization bypass allows modification of + protected webhook URLs (bsc#1260878) + +- Update to version 11.6.13: + Enhancement: + * Wire the public dashboard service to the HTTP server + +- Update to version 11.6.12: + Enhancement: + * Update authentication redirect logic + Bug fix: + * Fix single panel render with variable references + +- Update to version 11.6.11: + Features and enhancements: + * Alerting: Add limits for the size of expanded notification + templates + * Correlations: Remove support for org_id=0 + Security: + * CVE-2026-21722: Public dashboards annotations: use dashboard + timerange if time selection disabled (bsc#1258136) + +------------------------------------------------------------------- +Fri Jan 30 08:53:12 UTC 2026 - Witek Bedyk <[email protected]> + +- Update to version 11.6.10: + Security: + * CVE-2026-21721: Fix access control by the dashboard permissions + API (bsc#1257337) + * CVE-2026-21720: Fix unauthenticated DoS (bsc#1257349) + +- Update to version 11.6.9: + Features and enhancements: + * Alerting: Update alerting dependency + * Plugins: Add PluginContext to plugins when scenes is disabled + Bug fixes: + * Alerting: Fix contacts point issues + +- Update to version 11.6.8: + Bug fixes: + * Alerting: Fix unmarshalling of GettableStatus to include time + intervals + +------------------------------------------------------------------- Old: ---- 0002-Use-bash-instead-of-env.patch 0003-Bump-expr-lang.patch grafana-11.6.7.tar.gz New: ---- 0002-Drop-zanzana.patch 0003-Use-bash-instead-of-env.patch 0004-Bump-expr-lang.patch 0005-Bump-edwards25519.patch 0006-Fix-CVE-2026-21725.patch grafana-11.6.14+security01.tar.gz ----------(Old B)---------- Old:- Rename patches: * 0002-Use-bash-instead-of-env.patch -> 0003-Use-bash-instead-of-env.patch Old: 0003-Use-bash-instead-of-env.patch * 0003-Bump-expr-lang.patch -> 0004-Bump-expr-lang.patch - Update patch: ----------(Old E)---------- ----------(New B)---------- New:- Add patch: * 0002-Drop-zanzana.patch - Rename patches: New: * 0002-Use-bash-instead-of-env.patch -> 0003-Use-bash-instead-of-env.patch * 0003-Bump-expr-lang.patch -> 0004-Bump-expr-lang.patch New: 0003-Use-bash-instead-of-env.patch * 0003-Bump-expr-lang.patch -> 0004-Bump-expr-lang.patch - Update patch: New: (bsc#1258595) * Add 0005-Bump-edwards25519.patch - CVE-2026-21725: Fix missing UID when deleting datasource by name New: (bsc#1258873) * Add 0006-Fix-CVE-2026-21725.patch - Rebase 0002-Drop-zanzana.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grafana.spec ++++++ --- /var/tmp/diff_new_pack.HSEOAL/_old 2026-04-22 17:02:50.348016470 +0200 +++ /var/tmp/diff_new_pack.HSEOAL/_new 2026-04-22 17:02:50.360016949 +0200 @@ -22,7 +22,7 @@ %endif Name: grafana -Version: 11.6.7 +Version: 11.6.14+security01 Release: 0 Summary: The open-source platform for monitoring and observability License: AGPL-3.0-only @@ -36,8 +36,11 @@ # Makefile to automate build process Source4: Makefile Source5: 0001-Add-source-code-reference.patch -Patch2: 0002-Use-bash-instead-of-env.patch -Patch3: 0003-Bump-expr-lang.patch +Patch2: 0002-Drop-zanzana.patch +Patch3: 0003-Use-bash-instead-of-env.patch +Patch4: 0004-Bump-expr-lang.patch +Patch5: 0005-Bump-edwards25519.patch +Patch6: 0006-Fix-CVE-2026-21725.patch BuildRequires: fdupes BuildRequires: git-core BuildRequires: golang(API) >= 1.25 ++++++ 0002-Drop-zanzana.patch ++++++ ++++ 5764 lines (skipped) ++++++ 0002-Use-bash-instead-of-env.patch -> 0003-Use-bash-instead-of-env.patch ++++++ ++++++ 0003-Bump-expr-lang.patch -> 0004-Bump-expr-lang.patch ++++++ ++++++ 0005-Bump-edwards25519.patch ++++++ >From 25a9c949ed518c0cc6c457e299aa79ecb34ae6fe Mon Sep 17 00:00:00 2001 From: Witek Bedyk <[email protected]> Date: Tue, 31 Mar 2026 17:26:51 +0200 Subject: [PATCH] Bump filippo.io/edwards25519 to version 1.1.1 Fixes CVE-2026-26958 --- pkg/storage/unified/apistore/go.mod | 2 +- pkg/storage/unified/apistore/go.sum | 3 +++ pkg/storage/unified/resource/go.mod | 2 +- pkg/storage/unified/resource/go.sum | 2 ++ pkg/util/xorm/go.sum | 2 -- 5 files changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/storage/unified/apistore/go.mod b/pkg/storage/unified/apistore/go.mod index 9c8e0fae339..e21bd575fcf 100644 --- a/pkg/storage/unified/apistore/go.mod +++ b/pkg/storage/unified/apistore/go.mod @@ -41,7 +41,7 @@ require ( cloud.google.com/go/spanner v1.76.1 // indirect cloud.google.com/go/storage v1.52.0 // indirect dario.cat/mergo v1.0.1 // indirect - filippo.io/edwards25519 v1.1.0 // indirect + filippo.io/edwards25519 v1.1.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect diff --git a/pkg/storage/unified/apistore/go.sum b/pkg/storage/unified/apistore/go.sum index 4a0532a0c38..c4d20b8cd0b 100644 --- a/pkg/storage/unified/apistore/go.sum +++ b/pkg/storage/unified/apistore/go.sum @@ -624,6 +624,8 @@ dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= +filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw= +filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8= git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= @@ -947,6 +949,7 @@ github.com/elazarl/goproxy v1.7.1 h1:1P7LPSxbqtNxusFnXclj6O56pjfq1xOQZ6a0mwwKUlY github.com/elazarl/goproxy v1.7.1/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= diff --git a/pkg/storage/unified/resource/go.mod b/pkg/storage/unified/resource/go.mod index 31d9a325388..3c4a021245e 100644 --- a/pkg/storage/unified/resource/go.mod +++ b/pkg/storage/unified/resource/go.mod @@ -43,7 +43,7 @@ require ( cloud.google.com/go/monitoring v1.24.1 // indirect cloud.google.com/go/spanner v1.76.1 // indirect cloud.google.com/go/storage v1.52.0 // indirect - filippo.io/edwards25519 v1.1.0 // indirect + filippo.io/edwards25519 v1.1.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect diff --git a/pkg/storage/unified/resource/go.sum b/pkg/storage/unified/resource/go.sum index ff941a38597..c7d1f2388c5 100644 --- a/pkg/storage/unified/resource/go.sum +++ b/pkg/storage/unified/resource/go.sum @@ -624,6 +624,8 @@ dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= +filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw= +filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8= git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= diff --git a/pkg/util/xorm/go.sum b/pkg/util/xorm/go.sum index 61346d9e28f..5b07c110db4 100644 --- a/pkg/util/xorm/go.sum +++ b/pkg/util/xorm/go.sum @@ -611,8 +611,6 @@ cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vf cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA= cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= -filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8= git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -- 2.51.0 ++++++ 0006-Fix-CVE-2026-21725.patch ++++++ >From b74b1d5d4f43be899b88b26af40f38d19b413fbe Mon Sep 17 00:00:00 2001 From: Mihai Turdean <[email protected]> Date: Mon, 2 Feb 2026 23:59:08 -0800 Subject: [PATCH] Datasources: Fix permissions cleanup when deleting datasource by name (#117289) * Fix missing UID when deleting datasource by name * Add test --- pkg/api/datasources.go | 2 +- pkg/api/datasources_test.go | 54 +++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) diff --git a/pkg/api/datasources.go b/pkg/api/datasources.go index 0eef6a7ce16..456f87f42b5 100644 --- a/pkg/api/datasources.go +++ b/pkg/api/datasources.go @@ -304,7 +304,7 @@ func (hs *HTTPServer) DeleteDataSourceByName(c *contextmodel.ReqContext) respons return response.Error(http.StatusForbidden, "Cannot delete read-only data source", nil) } - cmd := &datasources.DeleteDataSourceCommand{Name: name, OrgID: c.SignedInUser.GetOrgID()} + cmd := &datasources.DeleteDataSourceCommand{Name: name, OrgID: c.SignedInUser.GetOrgID(), UID: dataSource.UID} err = hs.DataSourcesService.DeleteDataSource(c.Req.Context(), cmd) if err != nil { if errors.As(err, &secretsPluginError) { diff --git a/pkg/api/datasources_test.go b/pkg/api/datasources_test.go index fa057d3ccd5..ae426b73f32 100644 --- a/pkg/api/datasources_test.go +++ b/pkg/api/datasources_test.go @@ -446,6 +446,56 @@ func TestAPI_datasources_AccessControl(t *testing.T) { } } +func TestDeleteDataSourceByName_IncludesUIDForPermissions(t *testing.T) { + t.Run("should include UID when deleting datasource by name", func(t *testing.T) { + const dsName = "test-datasource" + const dsUID = "test-uid-12345" + const orgID int64 = 1 + + var capturedDeleteCmd *datasources.DeleteDataSourceCommand + + // Mock datasource service + mockDsService := &dataSourcesServiceMock{ + expectedDatasource: &datasources.DataSource{ + Name: dsName, + UID: dsUID, + OrgID: orgID, + }, + mockDeleteDataSource: func(ctx context.Context, cmd *datasources.DeleteDataSourceCommand) error { + capturedDeleteCmd = cmd + return nil + }, + } + + hs := &HTTPServer{ + Cfg: setting.NewCfg(), + pluginStore: &pluginstore.FakePluginStore{}, + DataSourcesService: mockDsService, + Live: newTestLive(t), + } + + // Create scenario context + sc := setupScenarioContext(t, "/api/datasources/name/"+dsName) + sc.m.Delete(sc.url, routing.Wrap(func(c *contextmodel.ReqContext) response.Response { + c.Req = web.SetURLParams(c.Req, map[string]string{":name": dsName}) + c.SignedInUser = authedUserWithPermissions(orgID, 1, []ac.Permission{}) + c.OrgID = orgID + return hs.DeleteDataSourceByName(c) + })) + + sc.fakeReqWithParams("DELETE", sc.url, map[string]string{":name": dsName}).exec() + + // Verify the response was successful + assert.Equal(t, 200, sc.resp.Code) + + // Verify that DeleteDataSource was called with the UID populated + require.NotNil(t, capturedDeleteCmd, "DeleteDataSource should have been called") + assert.Equal(t, dsName, capturedDeleteCmd.Name, "Command should have datasource name") + assert.Equal(t, dsUID, capturedDeleteCmd.UID, "Command should have datasource UID for permissions cleanup") + assert.Equal(t, orgID, capturedDeleteCmd.OrgID, "Command should have correct org ID") + }) +} + type dataSourcesServiceMock struct { datasources.DataSourceService @@ -454,6 +504,7 @@ type dataSourcesServiceMock struct { expectedError error mockUpdateDataSource func(ctx context.Context, cmd *datasources.UpdateDataSourceCommand) (*datasources.DataSource, error) + mockDeleteDataSource func(ctx context.Context, cmd *datasources.DeleteDataSourceCommand) error } func (m *dataSourcesServiceMock) GetDataSource(ctx context.Context, query *datasources.GetDataSourceQuery) (*datasources.DataSource, error) { @@ -469,6 +520,9 @@ func (m *dataSourcesServiceMock) GetDataSourcesByType(ctx context.Context, query } func (m *dataSourcesServiceMock) DeleteDataSource(ctx context.Context, cmd *datasources.DeleteDataSourceCommand) error { + if m.mockDeleteDataSource != nil { + return m.mockDeleteDataSource(ctx, cmd) + } return m.expectedError } -- 2.51.0 ++++++ Makefile ++++++ --- /var/tmp/diff_new_pack.HSEOAL/_old 2026-04-22 17:02:51.088046048 +0200 +++ /var/tmp/diff_new_pack.HSEOAL/_new 2026-04-22 17:02:51.132047807 +0200 @@ -26,7 +26,9 @@ patch --no-backup-if-mismatch -p1 -i ../../0001-Add-source-code-reference.patch && \ # End patches section \ # Patches for Go modules go after here \ - patch --no-backup-if-mismatch -p1 -i ../../0003-Bump-expr-lang.patch && \ + patch --no-backup-if-mismatch -p1 -i ../../0002-Drop-zanzana.patch && \ + patch --no-backup-if-mismatch -p1 -i ../../0004-Bump-expr-lang.patch && \ + patch --no-backup-if-mismatch -p1 -i ../../0005-Bump-edwards25519.patch && \ # End of Go modules patches section \ go mod download && \ go mod verify && \ ++++++ _service ++++++ --- /var/tmp/diff_new_pack.HSEOAL/_old 2026-04-22 17:02:51.404058679 +0200 +++ /var/tmp/diff_new_pack.HSEOAL/_new 2026-04-22 17:02:51.448060438 +0200 @@ -4,8 +4,9 @@ <param name="scm">git</param> <param name="exclude">.git</param> <param name="versionformat">@PARENT_TAG@</param> - <param name="versionrewrite-pattern">v(.*)</param> - <param name="revision">v11.6.7</param> + <param name="versionrewrite-pattern">v(.*)-(.*)</param> + <param name="versionrewrite-replacement">\1\2</param> + <param name="revision">v11.6.14+security-01</param> </service> <service name="recompress" mode="manual"> <param name="compression">gz</param> @@ -13,7 +14,7 @@ </service> <service name="set_version" mode="manual"> <param name="basename">grafana</param> - <param name="version">11.6.7</param> + <param name="version">11.6.14+security01</param> </service> </services> ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/grafana/vendor.tar.gz /work/SRC/openSUSE:Factory/.grafana.new.11940/vendor.tar.gz differ: char 5, line 1
