From nobody Sat Jul 23 22:01:04 2022
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Lr0cd0zxyz4WdRW;
	Sat, 23 Jul 2022 22:01:05 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Lr0cd0Y1tz3dC8;
	Sat, 23 Jul 2022 22:01:05 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1658613665;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=I+kfXl7lO9CVAUIbtlRC/XbO33s5PAHZKsB6SxTAILc=;
	b=NNa+xsn8vduJxlu70Ns9eJhTLZDb4GpvrWsbA9CEGql8o1p/FqXhzr1MD705a72Vz/S2e2
	Fu1ZV1X3kzcs/1ze81Sm7i6krupXlqNGQtAS0vWp0+U8a+pPNikbPr/qYNSlcwkKwBDfvb
	dpVVa8KGEbQ32OS/9ODbZI5kJzY8CZQlltyWZ/2wQcQ6FE74Xpv4A96lnVYijFXg4dkaDr
	fxA21FF6NQIIeLhhMnFPdSRgHDk3NUf/xAi9JdEZw26er32yKngXgUvzs0I+gQGnuMkSAH
	JobSZ0HMsW+VZ3lsUiqkvXPeBapyvHh1y5q3KxJG9LX5CL5bMJtE5NdWRMb2WA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Lr0cc6d0mzvcf;
	Sat, 23 Jul 2022 22:01:04 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 26NM14Wd079937;
	Sat, 23 Jul 2022 22:01:04 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 26NM142u079936;
	Sat, 23 Jul 2022 22:01:04 GMT
	(envelope-from git)
Date: Sat, 23 Jul 2022 22:01:04 GMT
Message-Id: <202207232201.26NM142u079936@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Nuno Teixeira <eduardo@FreeBSD.org>
Subject: git: 4bd697c3b70f - main - security/vuxml: Document new Grafana vulnerabilities
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: eduardo
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 4bd697c3b70fe899b89048a3581a688832befb98
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1658613665;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=I+kfXl7lO9CVAUIbtlRC/XbO33s5PAHZKsB6SxTAILc=;
	b=m4Gs2CnrzEdaNekeDr+nj9XJjglNAGjdHIKyrOPgtnRE4iwWW5Tl9UoKhqLTTJ1ZsEgYtZ
	k+IZE/LR4GVz3MG1OBlFrzkZ6TAC9dB868zvU7GxCNMSlsqE0HtrSTNMNXVpml2SNwT2Rm
	3qMaP0X/FzHeXGpH0gR3utzAeZqttdz8XzMmbtsjU9M7BYaw3j7J2tl+H7epKX9rqXVAjo
	hSMhMP+HBtnUwHQ1Ehl5pUVf5SoPzEPigq84W2qK7L3mLNxoqCuEZTm9Kq5j284AOQIx1r
	I9w1AE55SFjrXQpoISsZoOV8v1WF9cYRDAqVaWuEZEZ/GH9+ipQU/Koxi7xPHQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1658613665; a=rsa-sha256; cv=none;
	b=PUiuwBv2aqlvZd808VvbgsiDkt8nO9OdsX51vPKudhWf1qPjKNNUz9QdI2xrAqttIjjL+g
	NZMYLIXzuUdS+MV6nr1DyhwCYiqHUAN8DBubcqHxFPWGGIv7bw3aSW5v7FNxCfpuFGxDJk
	nROe21Xq4/lAksiAzzzPrfjHXk4wWnST75/k4NsKQC2IcKw7uuvEnxmjauMG3/qG1O2zHt
	CQ8cgr1b6/jIeoQlrrUtEG6XADnUNJGUgbQLaoEaohiXPjZYSURJfOJRANMMylFEr2Plcc
	WmiT4OfCk7Sg4RLeYPtssxHwCqte52owMXarf5xQpoVD4bnreHdAywZlaq02QQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by eduardo:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4bd697c3b70fe899b89048a3581a688832befb98

commit 4bd697c3b70fe899b89048a3581a688832befb98
Author:     Boris Korzun <drtr0jan@yandex.ru>
AuthorDate: 2022-07-23 21:57:43 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-07-23 21:57:43 +0000

    security/vuxml: Document new Grafana vulnerabilities
    
    CVE-2022-31097 - Stored XSS
    CVE-2022-31107 - OAuth Account Takeover
    
    PR:             265330
---
 security/vuxml/vuln-2022.xml | 82 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index fdfcc1f52ada..246c27b6cbd5 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -167,6 +167,88 @@
     </dates>
   </vuln>
 
+  <vuln vid="0c367e98-0415-11ed-a53b-6c3be5272acd">
+    <topic>Grafana -- Stored XSS</topic>
+    <affects>
+      <package>
+	<name>grafana</name>
+	<range><ge>8.3.0</ge><lt>8.3.10</lt></range>
+	<range><ge>8.4.0</ge><lt>8.4.10</lt></range>
+	<range><ge>8.5.0</ge><lt>8.5.9</lt></range>
+	<range><ge>9.0.0</ge><lt>9.0.3</lt></range>
+      </package>
+      <package>
+	<name>grafana8</name>
+	<range><ge>8.3.0</ge><lt>8.3.10</lt></range>
+	<range><ge>8.4.0</ge><lt>8.4.10</lt></range>
+	<range><ge>8.5.0</ge><lt>8.5.9</lt></range>
+      </package>
+      <package>
+	<name>grafana9</name>
+	<range><lt>9.0.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Grafana Labs reports:</p>
+	<blockquote cite="https://grafana.com/blog/2022/07/14/grafana-v9-0-3-8-5-9-8-4-10-and-8-3-10-released-with-high-severity-security-fix/">
+	  <p>An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. (Note: Grafana Alerting is activated by default in Grafana 9.0.)</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-31097</cvename>
+      <url>https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f</url>
+    </references>
+    <dates>
+      <discovery>2022-06-19</discovery>
+      <entry>2022-07-15</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="0859e6d5-0415-11ed-a53b-6c3be5272acd">
+    <topic>Grafana -- OAuth Account Takeover</topic>
+    <affects>
+      <package>
+	<name>grafana</name>
+	<range><ge>5.3.0</ge><lt>8.3.10</lt></range>
+	<range><ge>8.4.0</ge><lt>8.4.10</lt></range>
+	<range><ge>8.5.0</ge><lt>8.5.9</lt></range>
+	<range><ge>9.0.0</ge><lt>9.0.3</lt></range>
+      </package>
+      <package>
+	<name>grafana7</name>
+	<range><ge>7.0</ge></range>
+      </package>
+      <package>
+	<name>grafana8</name>
+	<range><ge>8.3.0</ge><lt>8.3.10</lt></range>
+	<range><ge>8.4.0</ge><lt>8.4.10</lt></range>
+	<range><ge>8.5.0</ge><lt>8.5.9</lt></range>
+      </package>
+      <package>
+	<name>grafana9</name>
+	<range><lt>9.0.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Grafana Labs reports:</p>
+	<blockquote cite="https://grafana.com/blog/2022/07/14/grafana-v9-0-3-8-5-9-8-4-10-and-8-3-10-released-with-high-severity-security-fix/">
+	  <p>It is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under some conditions.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-31107</cvename>
+      <url>https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2</url>
+    </references>
+    <dates>
+      <discovery>2022-06-27</discovery>
+      <entry>2022-07-15</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="a4f2416c-02a0-11ed-b817-10c37b4ac2ea">
     <topic>go -- multiple vulnerabilities</topic>
     <affects>