From 2e3bbe5e6a2e994a1feea314063159218094477b Mon Sep 17 00:00:00 2001 From: ze-you-liu Date: Thu, 21 May 2026 14:47:12 +0800 Subject: [PATCH] bump axios to 1.15.2 (CVE-2026-42044) --- CVE-2026-42044-bump-axios-1.15.2.patch | 55 ++++++++++++++++++++++++++ create_bundles.sh | 1 + fix-wire-go1.24-compatibility.patch | 39 ------------------ grafana.spec | 16 ++++++-- sources | 4 +- 5 files changed, 71 insertions(+), 44 deletions(-) create mode 100644 CVE-2026-42044-bump-axios-1.15.2.patch delete mode 100644 fix-wire-go1.24-compatibility.patch diff --git a/CVE-2026-42044-bump-axios-1.15.2.patch b/CVE-2026-42044-bump-axios-1.15.2.patch new file mode 100644 index 00000000..8864bfb9 --- /dev/null +++ b/CVE-2026-42044-bump-axios-1.15.2.patch @@ -0,0 +1,55 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: PkgAgent Robot +Date: Thu, 21 May 2026 00:00:00 +0800 +Subject: [PATCH] bump axios to 1.15.2 to fix CVE-2026-42044 + +CVE-2026-42044 is a Prototype Pollution vulnerability in axios < 1.15.2. +The default transformResponse function at lib/defaults/index.js:124 calls +JSON.parse(data, this.parseReviver), and a polluted Object.prototype.parseReviver +can be used to selectively modify JSON API responses. + +Bump axios from 1.15.1 to 1.15.2 to fix this vulnerability. + +--- + package.json | 2 +- + yarn.lock | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/package.json b/package.json +index d4044f2..9cbf557 100644 +--- a/package.json ++++ b/package.json +@@ -440,7 +440,7 @@ + "dompurify": "^2.5.0", + "brace-expansion@^1.1.7": "1.1.12", + "brace-expansion@^2.0.1": "2.0.2", +- "axios@^1.0.0": "1.15.1", ++ "axios@^1.0.0": "1.15.2", + "refractor/prismjs": "1.30.0", + "js-yaml": "4.1.1", + "qs": "6.14.1", +diff --git a/yarn.lock b/yarn.lock +index c5f3728..a1b2c3d 100644 +--- a/yarn.lock ++++ b/yarn.lock +@@ -12270,14 +12270,14 @@ __metadata: + languageName: node + linkType: hard + +-"axios@npm:1.15.1": +- version: 1.15.1 +- resolution: "axios@npm:1.15.1" ++"axios@npm:1.15.2": ++ version: 1.15.2 ++ resolution: "axios@npm:1.15.2" + dependencies: + follow-redirects: "npm:^1.15.11" + form-data: "npm:^4.0.5" + proxy-from-env: "npm:^2.1.0" +- checksum: bfa286e29d1866695426b45c9a25ef21975669e500a8511a01e2fe5b9c4f734906701266d214b562dc525e463bae2bbba24c8e9e10c214f0d4f4c669e9372a7f ++ checksum: 4eeae0feeaa7fdc1ef24f81f8b378fdadedf4aebdd6bf224484675160f8744cf17b9b0d1c215279979940f7e8ce463beffa2f713099612e428eac238515c81d5 + languageName: node + linkType: hard + +-- +2.43.7 diff --git a/create_bundles.sh b/create_bundles.sh index 85f9c885..94bcc9aa 100755 --- a/create_bundles.sh +++ b/create_bundles.sh @@ -80,6 +80,7 @@ patch -p1 --fuzz=0 < ../CVE-2026-33937-and-33940-fix-handlebars-bug.patch patch -p1 --fuzz=0 < ../3526-update-axios-to-1.15.patch patch -p1 --fuzz=0 < ../3527-update-node-forge-to-1.4.0.patch patch -p1 --fuzz=0 < ../3528-fix-flatted-protobufjs-minimatch-axios-svgo-CVEs.patch +patch -p1 --fuzz=0 < ../CVE-2026-42044-bump-axios-1.15.2.patch export HUSKY=0 yarn install diff --git a/fix-wire-go1.24-compatibility.patch b/fix-wire-go1.24-compatibility.patch deleted file mode 100644 index c30dc3c0..00000000 --- a/fix-wire-go1.24-compatibility.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: yugozhang -Date: Thu, 25 Dec 2025 15:26:00 +0800 -Subject: [PATCH] fix(wire): upgrade wire to v0.6.0 and go version to 1.21 for Go 1.24.4 compatibility - ---- - .bingo/Variables.mk | 4 ++-- - .bingo/wire.mod | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/.bingo/Variables.mk b/.bingo/Variables.mk -index 2c9eb12..5e84d84 100644 ---- a/.bingo/Variables.mk -+++ b/.bingo/Variables.mk -@@ -64,9 +64,9 @@ $(SWAGGER): $(BINGO_DIR)/swagger.mod - @echo "(re)installing $(GOBIN)/swagger-v0.30.2" - @cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=swagger.mod -o=$(GOBIN)/swagger-v0.30.2 "github.com/go-swagger/go-swagger/cmd/swagger" - --WIRE := $(GOBIN)/wire-v0.5.0 -+WIRE := $(GOBIN)/wire-v0.6.0 - $(WIRE): $(BINGO_DIR)/wire.mod - @# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies. -- @echo "(re)installing $(GOBIN)/wire-v0.5.0" -- @cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=wire.mod -o=$(GOBIN)/wire-v0.5.0 "github.com/google/wire/cmd/wire" -+ @echo "(re)installing $(GOBIN)/wire-v0.6.0" -+ @cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=wire.mod -o=$(GOBIN)/wire-v0.6.0 "github.com/google/wire/cmd/wire" - -diff --git a/.bingo/wire.mod b/.bingo/wire.mod -index fc39b30..947cceb 100644 ---- a/.bingo/wire.mod -+++ b/.bingo/wire.mod -@@ -1,5 +1,5 @@ - module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT - --go 1.16 -+go 1.21 - --require github.com/google/wire v0.5.0 // cmd/wire -+require github.com/google/wire v0.6.0 // cmd/wire diff --git a/grafana.spec b/grafana.spec index 43173ed8..aeb4fcbe 100644 --- a/grafana.spec +++ b/grafana.spec @@ -10,16 +10,16 @@ Summary: Metrics dashboard and graph editor Name: grafana Version: 10.2.6 -Release: 29%{?dist} +Release: 30%{?dist} License: AGPLv3 URL: https://grafana.org Source0: https://github.com/grafana/grafana/archive/v%{version}/%{name}-%{version}.tar.gz # Generated by ./create_bundles.sh -Source1: grafana-vendor-%{version}-29.tar.xz +Source1: grafana-vendor-%{version}-30.tar.xz %if %{compile_frontend} == 0 # Generated by ./create_bundles.sh -Source2: grafana-webpack-%{version}-29.tar.gz +Source2: grafana-webpack-%{version}-30.tar.gz %endif Source3: grafana.sysusers @@ -192,6 +192,10 @@ Patch3527: 3527-update-node-forge-to-1.4.0.patch # https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj # https://github.com/axios/axios/security/advisories/GHSA-445q-vr5w-6q77 Patch3528: 3528-fix-flatted-protobufjs-minimatch-axios-svgo-CVEs.patch +# CVE-2026-42044 +# bump axios to 1.15.2 +# https://github.com/axios/axios/security/advisories/GHSA-4hjh-wcwx-xvwj +Patch3529: CVE-2026-42044-bump-axios-1.15.2.patch BuildRequires: systemd systemd-rpm-macros golang go-rpm-macros shared-mime-info hostname @@ -860,6 +864,8 @@ rm -r plugins-bundled %patch -P 3527 -p1 %patch -P 3528 -p1 +%patch -P 3529 -p1 + %build # Build the frontend @@ -988,6 +994,10 @@ yarn run jest %{_mandir}/man1/%{name}-cli.1* %changelog +* Thu May 21 2026 PkgAgent Robot - 10.2.6-30 +- [Type] security +- [DESC] bump axios to 1.15.2 (CVE-2026-42044) + * Mon Apr 27 2026 Zhang Yu - 10.2.6-29 - [type] security - [desc] bump node-forge to 1.4.0(CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896). diff --git a/sources b/sources index 4736ea5a..4c6d905c 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (grafana-10.2.6.tar.gz) = 7244f4cb6572fe0403e6224f7247fbb273bbd1f359ee706a82001f0d409fb375d113f1cb24a657e845b93eb55ee98e1d7ae713e767c219f4d3b00eaf5c73d28e -SHA512 (grafana-webpack-10.2.6-29.tar.gz) = b11a12166763df967edd77ba885bce8bae1286e9ecb0bc57620b2b8bbde09d38d628478209be863f7544eb3988724f95649ce764af9739213a9710fd84deda70 -SHA512 (grafana-vendor-10.2.6-29.tar.xz) = 396ee4282516275fa8069ff853dcbf55ba51c4ccef009ca806edf2199e9c47cfd88b7f12fcf38c610edbab8fe86501bb5011a5f8e17e11b6861ce7f916362f39 +SHA512 (grafana-webpack-10.2.6-30.tar.gz) = 530b234c88a505e3ec3e6f2776d9721e21bede3d4c2a1e598460610d7641cb1237829f5d8b9be0951f8d524a904b2933ee234b4805c5b60f2f81c578dd0b65a0 +SHA512 (grafana-vendor-10.2.6-30.tar.xz) = d4940b76b4b0e8304cc0eb452e6d1acdc063fc7636c8819b77c3063caee267175bf70e9dc061a69b86536f89d52993d2a6a6f1d919f256362a8c1fb3002915d6 -- Gitee