Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[21.05] grafana: 7.5.10 -> 7.5.11, fix CVE-2021-39226 #140748

Merged
merged 1 commit into from
Oct 9, 2021
Merged

[21.05] grafana: 7.5.10 -> 7.5.11, fix CVE-2021-39226 #140748

merged 1 commit into from
Oct 9, 2021

Conversation

Ma27
Copy link
Member

@Ma27 Ma27 commented Oct 6, 2021
edited
Loading

Motivation for this change

ChangeLog: https://github.com/grafana/grafana/releases/tag/v7.5.11
Follow-up on 21.05 for #140718

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • 21.11 Release Notes (or backporting 21.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@Ma27 Ma27 added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Oct 6, 2021
@Ma27 Ma27 changed the title grafana: 7.5.10 -> 7.5.11, fix CVE-2021-39226 [21.05] grafana: 7.5.10 -> 7.5.11, fix CVE-2021-39226 Oct 6, 2021
@ofborg ofborg bot added 11.by: package-maintainer This PR was created by the maintainer of the package it changes 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1 labels Oct 6, 2021
LeSuisse
LeSuisse reviewed Oct 6, 2021
View reviewed changes
pkgs/servers/monitoring/grafana/default.nix
};

srcStatic = fetchurl {
url = "https://dl.grafana.com/oss/release/grafana-${version}.linux-amd64.tar.gz";
sha256 = "sha256-xwbd5Qu+btRSqowXCVhmceOGiXiSHeBamJi0Tx79zsc=";
sha256 = "sha256-MkTQztSNLelybJo71tXwjBtqCB1CZlQB4DP8SjHFfV0=";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hum I do not get the same hash on my end 😕

$ nix-build -A grafana
these derivations will be built:
  /nix/store/dzaqkmng6l4d56ssidyj2ww2pnph2mi1-grafana-7.5.11.linux-amd64.tar.gz.drv
  /nix/store/68y66wb5c1iy4r306rfrp0v7kv66idcy-grafana-7.5.11.drv
building '/nix/store/dzaqkmng6l4d56ssidyj2ww2pnph2mi1-grafana-7.5.11.linux-amd64.tar.gz.drv'...

trying https://dl.grafana.com/oss/release/grafana-7.5.11.linux-amd64.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 49.7M  100 49.7M    0     0  29.8M      0  0:00:01  0:00:01 --:--:-- 29.8M
hash mismatch in fixed-output derivation '/nix/store/ycsi4974d8wx0wybvgz3gpy89nzfbsi8-grafana-7.5.11.linux-amd64.tar.gz':
  wanted: sha256:0pbxqlqlmz1kw00m8rj23l46l6wcy3axcfwsdirfjbcdsk7d0i1j
  got:    sha256:1hp03rdz5cj0y00ksmipf6vsnjwghlnjzlpp9p47d3mcidld3ign

It might be similar to the situation encountered in #130201

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for cross-checking, left a response in https://community.grafana.com/t/grafana-oss-8-0-6-tarball-checksum-does-not-always-match/50785/3.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested again, issue appears to be solved on my end now.

@risicle
Copy link
Contributor

risicle commented Oct 8, 2021

Appears to WFM on nixos x86_64, along with nixosTests.grafana.

LeSuisse
LeSuisse approved these changes Oct 9, 2021
View reviewed changes
pkgs/servers/monitoring/grafana/default.nix
};

srcStatic = fetchurl {
url = "https://dl.grafana.com/oss/release/grafana-${version}.linux-amd64.tar.gz";
sha256 = "sha256-xwbd5Qu+btRSqowXCVhmceOGiXiSHeBamJi0Tx79zsc=";
sha256 = "sha256-MkTQztSNLelybJo71tXwjBtqCB1CZlQB4DP8SjHFfV0=";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested again, issue appears to be solved on my end now.

@Ma27 Ma27 merged commit 0c106b8 into NixOS:release-21.05 Oct 9, 2021
@Ma27 Ma27 deleted the bump-grafana-2105 branch October 9, 2021 11:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LeSuisse LeSuisse LeSuisse approved these changes

@globin globin Awaiting requested review from globin

@WilliButz WilliButz Awaiting requested review from WilliButz

@Frostman Frostman Awaiting requested review from Frostman

@fpletz fpletz Awaiting requested review from fpletz

@offlinehacker offlinehacker Awaiting requested review from offlinehacker

@kalbasit kalbasit Awaiting requested review from kalbasit

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 10.rebuild-linux: 1 11.by: package-maintainer This PR was created by the maintainer of the package it changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Ma27 @risicle @LeSuisse