Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package grafana for openSUSE:Factory checked in at 2026-05-05 17:42:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grafana (Old) and /work/SRC/openSUSE:Factory/.grafana.new.30200 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grafana" Tue May 5 17:42:44 2026 rev:84 rq:1350990 version:11.6.14+security01 Changes: -------- --- /work/SRC/openSUSE:Factory/grafana/grafana.changes 2026-05-04 17:30:32.865750048 +0200 +++ /work/SRC/openSUSE:Factory/.grafana.new.30200/grafana.changes 2026-05-05 17:43:00.105096171 +0200 @@ -1,0 +2,7 @@ +Mon May 4 14:29:36 UTC 2026 - Witek Bedyk <[email protected]> + +- CVE-2026-41602: Fix Integer Overflow or Wraparound vulnerability + in Apache Thrift (bsc#1263501) + * Add 0008-Bump-github.com-apache-thrift.patch + +------------------------------------------------------------------- New: ---- 0008-Bump-github.com-apache-thrift.patch ----------(New B)---------- New: in Apache Thrift (bsc#1263501) * Add 0008-Bump-github.com-apache-thrift.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grafana.spec ++++++ --- /var/tmp/diff_new_pack.YUnotQ/_old 2026-05-05 17:43:07.029382584 +0200 +++ /var/tmp/diff_new_pack.YUnotQ/_new 2026-05-05 17:43:07.029382584 +0200 @@ -42,6 +42,7 @@ Patch5: 0005-Bump-edwards25519.patch Patch6: 0006-Fix-CVE-2026-21725.patch Patch7: 0007-Bump-github.com-go-jose-go-jose.patch +Patch8: 0008-Bump-github.com-apache-thrift.patch BuildRequires: fdupes BuildRequires: git-core BuildRequires: golang(API) >= 1.25 ++++++ 0008-Bump-github.com-apache-thrift.patch ++++++ >From 0948f8427c4d6de96107f19381521e78c5512ed3 Mon Sep 17 00:00:00 2001 From: Witek Bedyk <[email protected]> Date: Mon, 4 May 2026 16:13:00 +0200 Subject: [PATCH] Bump github.com/apache/thrift to version 0.23.0 --- go.mod | 2 +- go.sum | 4 ++-- pkg/aggregator/go.mod | 1 + pkg/aggregator/go.sum | 3 +-- pkg/promlib/go.mod | 1 + pkg/promlib/go.sum | 3 +-- pkg/storage/unified/apistore/go.mod | 2 +- pkg/storage/unified/apistore/go.sum | 3 +-- 8 files changed, 9 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 68c8575c6c0..1c0c0f86fa1 100644 --- a/go.mod +++ b/go.mod @@ -260,7 +260,7 @@ require ( github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b // indirect github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect github.com/antlr4-go/antlr/v4 v4.13.1 // indirect - github.com/apache/thrift v0.21.0 // indirect + github.com/apache/thrift v0.23.0 // indirect github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect github.com/armon/go-metrics v0.4.1 // indirect diff --git a/go.sum b/go.sum index 2a9878a5271..dfea9599aee 100644 --- a/go.sum +++ b/go.sum @@ -809,8 +809,8 @@ github.com/apache/arrow/go/v10 v10.0.1/go.mod h1:YvhnlEePVnBS4+0z3fhPfUy7W1Ikj0I github.com/apache/arrow/go/v11 v11.0.0/go.mod h1:Eg5OsL5H+e299f7u5ssuXsuHQVEGC4xei5aX110hRiI= github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU= -github.com/apache/thrift v0.21.0 h1:tdPmh/ptjE1IJnhbhrcl2++TauVjy242rkV/UzJChnE= -github.com/apache/thrift v0.21.0/go.mod h1:W1H8aR/QRtYNvrPeFXBtobyRkd0/YVhTc6i07XIAgDw= +github.com/apache/thrift v0.23.0 h1:wKR6YnefQSEnxpEfmgTPuJibNG4bF0p2TK34tHLWi3s= +github.com/apache/thrift v0.23.0/go.mod h1:zPt6WxgvTOM6hF92y8C+MkEM5LMxZuk4JcQOiU4Esvs= github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ= github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk= github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= diff --git a/pkg/aggregator/go.mod b/pkg/aggregator/go.mod index 888ca7e1d3c..5651af9e791 100644 --- a/pkg/aggregator/go.mod +++ b/pkg/aggregator/go.mod @@ -26,6 +26,7 @@ require ( github.com/NYTimes/gziphandler v1.1.1 // indirect github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/apache/arrow-go/v18 v18.0.1-0.20241212180703-82be143d7c30 // indirect + github.com/apache/thrift v0.23.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect diff --git a/pkg/aggregator/go.sum b/pkg/aggregator/go.sum index 9afbeccb136..27f25ae0564 100644 --- a/pkg/aggregator/go.sum +++ b/pkg/aggregator/go.sum @@ -13,8 +13,7 @@ github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYW github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= github.com/apache/arrow-go/v18 v18.0.1-0.20241212180703-82be143d7c30 h1:hXVi7QKuCQ0E8Yujfu9b0f0RnzZ72efpWvPnZgnJPrE= github.com/apache/arrow-go/v18 v18.0.1-0.20241212180703-82be143d7c30/go.mod h1:RNuWDIiGjq5nndL2PyQrndUy9nMLwheA3uWaAV7fe4U= -github.com/apache/thrift v0.21.0 h1:tdPmh/ptjE1IJnhbhrcl2++TauVjy242rkV/UzJChnE= -github.com/apache/thrift v0.21.0/go.mod h1:W1H8aR/QRtYNvrPeFXBtobyRkd0/YVhTc6i07XIAgDw= +github.com/apache/thrift v0.23.0 h1:wKR6YnefQSEnxpEfmgTPuJibNG4bF0p2TK34tHLWi3s= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= diff --git a/pkg/promlib/go.mod b/pkg/promlib/go.mod index 180f5a91b9b..fb9314c96f3 100644 --- a/pkg/promlib/go.mod +++ b/pkg/promlib/go.mod @@ -20,6 +20,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1 // indirect github.com/BurntSushi/toml v1.5.0 // indirect github.com/apache/arrow-go/v18 v18.0.1-0.20241212180703-82be143d7c30 // indirect + github.com/apache/thrift v0.23.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go v1.55.7 // indirect github.com/bahlo/generic-list-go v0.2.0 // indirect diff --git a/pkg/promlib/go.sum b/pkg/promlib/go.sum index 813ad565a6c..5ebf0ad198a 100644 --- a/pkg/promlib/go.sum +++ b/pkg/promlib/go.sum @@ -22,8 +22,7 @@ github.com/andybalholm/brotli v1.1.1 h1:PR2pgnyFznKEugtsUo0xLdDop5SKXd5Qf5ysW+7X github.com/andybalholm/brotli v1.1.1/go.mod h1:05ib4cKhjx3OQYUY22hTVd34Bc8upXjOLL2rKwwZBoA= github.com/apache/arrow-go/v18 v18.0.1-0.20241212180703-82be143d7c30 h1:hXVi7QKuCQ0E8Yujfu9b0f0RnzZ72efpWvPnZgnJPrE= github.com/apache/arrow-go/v18 v18.0.1-0.20241212180703-82be143d7c30/go.mod h1:RNuWDIiGjq5nndL2PyQrndUy9nMLwheA3uWaAV7fe4U= -github.com/apache/thrift v0.21.0 h1:tdPmh/ptjE1IJnhbhrcl2++TauVjy242rkV/UzJChnE= -github.com/apache/thrift v0.21.0/go.mod h1:W1H8aR/QRtYNvrPeFXBtobyRkd0/YVhTc6i07XIAgDw= +github.com/apache/thrift v0.23.0 h1:wKR6YnefQSEnxpEfmgTPuJibNG4bF0p2TK34tHLWi3s= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE= diff --git a/pkg/storage/unified/apistore/go.mod b/pkg/storage/unified/apistore/go.mod index 6785c51a5e5..27083144f2a 100644 --- a/pkg/storage/unified/apistore/go.mod +++ b/pkg/storage/unified/apistore/go.mod @@ -70,7 +70,7 @@ require ( github.com/andybalholm/brotli v1.1.1 // indirect github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/apache/arrow-go/v18 v18.0.1-0.20241212180703-82be143d7c30 // indirect - github.com/apache/thrift v0.21.0 // indirect + github.com/apache/thrift v0.23.0 // indirect github.com/armon/go-metrics v0.4.1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/at-wat/mqtt-go v0.19.4 // indirect diff --git a/pkg/storage/unified/apistore/go.sum b/pkg/storage/unified/apistore/go.sum index cbf9e404209..abed32fd9c9 100644 --- a/pkg/storage/unified/apistore/go.sum +++ b/pkg/storage/unified/apistore/go.sum @@ -722,8 +722,7 @@ github.com/apache/arrow/go/v10 v10.0.1/go.mod h1:YvhnlEePVnBS4+0z3fhPfUy7W1Ikj0I github.com/apache/arrow/go/v11 v11.0.0/go.mod h1:Eg5OsL5H+e299f7u5ssuXsuHQVEGC4xei5aX110hRiI= github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU= -github.com/apache/thrift v0.21.0 h1:tdPmh/ptjE1IJnhbhrcl2++TauVjy242rkV/UzJChnE= -github.com/apache/thrift v0.21.0/go.mod h1:W1H8aR/QRtYNvrPeFXBtobyRkd0/YVhTc6i07XIAgDw= +github.com/apache/thrift v0.23.0 h1:wKR6YnefQSEnxpEfmgTPuJibNG4bF0p2TK34tHLWi3s= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA= github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4= -- 2.51.0 ++++++ Makefile ++++++ --- /var/tmp/diff_new_pack.YUnotQ/_old 2026-05-05 17:43:07.125386555 +0200 +++ /var/tmp/diff_new_pack.YUnotQ/_new 2026-05-05 17:43:07.129386721 +0200 @@ -30,6 +30,7 @@ patch --no-backup-if-mismatch -p1 -i ../../0004-Bump-expr-lang.patch && \ patch --no-backup-if-mismatch -p1 -i ../../0005-Bump-edwards25519.patch && \ patch --no-backup-if-mismatch -p1 -i ../../0007-Bump-github.com-go-jose-go-jose.patch && \ + patch --no-backup-if-mismatch -p1 -i ../../0008-Bump-github.com-apache-thrift.patch && \ # End of Go modules patches section \ go mod download && \ go mod verify && \ ++++++ grafana-11.6.14+security01.tar.gz ++++++ /work/SRC/openSUSE:Factory/grafana/grafana-11.6.14+security01.tar.gz /work/SRC/openSUSE:Factory/.grafana.new.30200/grafana-11.6.14+security01.tar.gz differ: char 5, line 1 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/grafana/vendor.tar.gz /work/SRC/openSUSE:Factory/.grafana.new.30200/vendor.tar.gz differ: char 5, line 1
