grafana security and enhancement update

[9.2.10-7]

• resolve RHEL-12649
• resolve CVE-2023-39325 CVE-2023-44487 rapid stream resets can cause excessive work
• testing is turned off due to test failures caused by testing date mismatch
  [9.2.10-6]
• Add /usr/share/grafana to systemd-sysusers --replace
  [9.2.10-5]
• resolve CVE-2023-3128 grafana: account takeover possible when using Azure AD OAuth
  [9.2.10-4]
• bumps exporter-toolkit to v0.7.3, sanitize-url@npm to 6.0.2, skip problematic s390 tests.
  [9.2.10-3]
• Use systemd-sysusers --replace
  [9.2.10-2]
• Use systemd-sysusers instead of sysusers_create_compat, which is not available in RHEL-8
  [9.2.10-1]
• Update to 9.2.10
  [7.5.15-4]
• resolve CVE-2022-39229 grafana: using email as a username can block other users from signing in
• resolve CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
• resolve CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
• resolve CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
• run integration tests in check phase
• update FIPS patch with latest changes in Go packaging
  [7.5.15-3]
• resolve CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
• resolve CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
• resolve CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
• resolve CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
• resolve CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
• resolve CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
• resolve CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
• resolve CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
• resolve CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
  [7.5.15-2]
• resolve CVE-2022-31107 grafana: OAuth account takeover
  [7.5.15-1]
• update to 7.5.15 tagged upstream community sources, see CHANGELOG
• resolve CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources
• resolve CVE-2022-21702 grafana: XSS vulnerability in data source handling
• resolve CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation
• resolve CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure
• resolve CVE-2021-23648 sanitize-url: XSS
• resolve CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
• declare Node.js dependencies of subpackages
• make vendor and webpack tarballs reproducible
  [7.5.11-2]
• resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
• resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files
  [7.5.11-1]
• update to 7.5.11 tagged upstream community sources, see CHANGELOG
• resolve CVE-2021-39226
  [7.5.10-1]
• update to 7.5.10 tagged upstream community sources, see CHANGELOG
  [7.5.9-3]
• rebuild to resolve CVE-2021-34558
  [7.5.9-2]
• remove unused dependency property-information
• always include FIPS patch in SRPM
  [7.5.9-1]
• update to 7.5.9 tagged upstream community sources, see CHANGELOG
  [7.5.8-1]
• update to 7.5.8 tagged upstream community sources, see CHANGELOG
• remove unused dependencies selfsigned, http-signature and gofpdf
  [7.5.7-2]
• remove unused cryptographic implementations
• use cryptographic functions from OpenSSL if FIPS mode is enabled
  [7.5.7-1]
• update to 7.5.7 tagged upstream community sources, see CHANGELOG
  [7.3.6-2]
• change working dir to in grafana-cli wrapper (fixes Red Hat BZ #1916083)
• add pcp-redis-datasource to allow_loading_unsigned_plugins config option
  [7.3.6-1]
• update to 7.3.6 tagged upstream community sources, see CHANGELOG
• remove dependency on SAML (not supported in the open source version of Grafana)
  [7.3.4-1]
• update to 7.3.4 tagged upstream community sources, see CHANGELOG
• bundle golang dependencies
• optionally bundle node.js dependencies and build and test frontend as part of the specfile
• merge all datasources into main grafana package
• change default provisioning path to /etc/grafana/provisioning
• resolve https://bugzilla.redhat.com/show_bug.cgi?id=1843170
  [6.7.4-3]
• apply patch for CVE-2020-13430 also to sources, not only to compiled webpack
  [6.7.4-2]
• security fix for CVE-2020-13430
  [6.7.4-1]
• update to 6.7.4 tagged upstream community sources, see CHANGELOG
• security fix for CVE-2020-13379
  [6.7.3-1]
• update to 6.7.3 tagged upstream community sources, see CHANGELOG
• add scripts to list Go dependencies and bundled npmjs dependencies
• set Grafana version in Grafana UI and grafana-cli --version
• declare README.md as documentation of datasource plugins
• create grafana.db on first installation (fixes RH BZ #1805472)
• change permissions of /var/lib/grafana to 750 (CVE-2020-12458)
• change permissions of /var/lib/grafana/grafana.db to 640 and
  user/group grafana:grafana (CVE-2020-12458)
• change permissions of grafana.ini and ldap.toml to 640 (CVE-2020-12459)
  [6.6.2-1]
• added patch0 to set the version string correctly
• removed patch 004-xerrors.patch, it’s now upstream
• added several patches for golang vendored vrs build dep differences
• added patch to move grafana-cli binary to libexec dir
• update to 6.6.2 tagged upstream community sources, see CHANGELOG
  [6.3.6-1]
• add weak depenency on grafana-pcp
• add patch to mute shellcheck SC1090 for grafana-cli
• update to 6.3.6 upstream community sources, see CHANGELOG
  [6.3.5-1]
• drop uaparser patch now it’s upstream
• add xerrors patch, see https://github.com/golang/go/issues/32246
• use vendor sources on rawhide until modules are fully supported
• update to latest upstream community sources, see CHANGELOG
  [6.3.4-1]
• include fix for CVE-2019-15043
• add patch for uaparser on 32bit systems
• update to latest upstream community sources, see CHANGELOG
  [6.2.5-1]
• update to latest upstream community sources, see CHANGELOG
  [6.2.2-2]
• Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
  [6.2.2-1]
• split out some datasource plugins to sub-packages
• update to latest upstream community sources, see CHANGELOG
  [6.2.1-1]
• update to latest upstream community sources, see CHANGELOG
  [6.2.0-1]
• update to latest upstream community sources
• drop a couple of patches
  [6.1.6-2]
• add conditional unbundle_vendor_sources macro
  [6.1.6-1]
• update to latest upstream stable release 6.1.6, see CHANGELOG
• includes jQuery 3.4.0 security update
  [6.1.4-1]
• update to latest upstream stable release 6.1.4, see CHANGELOG
• use gobuild and gochecks macros, eliminate arch symlinks
• re-enable grafana-debugsource package
• fix GRAFANA_GROUP typo
• fix more modes for brp-mangle-shebangs
• vendor source unbundling now done in prep after patches
• remove all rhel and fedora conditional guff
  [6.1.3-1]
• update to latest upstream stable release 6.1.3, see CHANGELOG
• unbundle all vendor sources, replace with BuildRequires, see
  the long list of blocker BZs linked to BZ#1670656
• BuildRequires go-plugin >= v1.0.0 for grpc_broker (thanks eclipseo)
• tweak make_webpack to no longer use grunt, switch to prod build
• add ExclusiveArch lua script (thanks quantum.analyst)
• move db directory and plugins to /var/lib/grafana
• split out into 6 patches, ready for upstream PRs
• add check to run go tests for gating checks
  [6.1.0-1]
• update to latest upstream stable release 6.1.0, see CHANGELOG
  [6.0.2-1]
• bump to latest upstream stable release 6.0.2-1
• unbundle almost all remaining vendor code, see linked blockers in BZ#1670656
  [6.0.1-3]
• bump to latest upstream stable release 6.0.1-1
  [6.0.1-2]
• unbundle and add BuildRequires for golang-github-rainycape-unidecode-devel
  [6.0.1-1]
• update to v6.0.1 upstream sources, tweak distro config, re-do patch
• simplify make_webpack.sh script (Elliott Sales de Andrade)
• vendor/github.com/go-ldap is now gone, so don’t unbundle it
  [5.4.3-11]
• tweak after latest feedback, bump to 5.4.3-11 (BZ 1670656)
• build debuginfo package again
• unbundle BuildRequires for golang-github-hashicorp-version-devel
• remove some unneeded development files
• remove macros from changelog and other rpmlint tweaks
  [5.4.3-10]
• tweak spec for available and unavailable (bundled) golang packages
  [5.4.3-9]
• Remove extraneous slash (cosmetic)
• Create directories just before moving stuff in them
• Truncate long lines
• Group all golang stuff
• Simplify BuildRequires/bundled Provides
• Sort BuildRequires/bundled Provides
• Fix bundled go packages Provides
  [5.4.3-8]
• add BuildRequires (and unbundle) vendor sources available in Fedora
• declare Provides for remaining (bundled) vendor go sources
• do not attempt to unbundle anything on RHEL < 7 or Fedora < 28
  [5.4.3-7]
• further refinement for spec doc section from Xavier Bachelot
• disable debug_package to avoid empty debugsourcefiles.list
  [5.4.3-6]
• further refinement following review by Xavier Bachelot
  [5.4.3-5]
• further refinement following review by Xavier Bachelot
  [5.4.3-4]
• further spec updates after packaging review
• reworked post-install scriplets
  [5.4.3-3]
• tweak FHS patch, update spec after packaging review
  [5.4.3-2]
• add patch to be standard FHS compliant, remove phantomjs
• update to v5.4.3 upstream community sources
  [5.4.2-1]
• update to v5.4.2 upstream community sources
  [5.3.1-1]
• update to v5.3.1 upstream community sources
  [5.2.5-1]
• native RPM spec build with current tagged v5.2.5 sources