From 48545eb57393fd3ad29641348b2116eeb45d5719 Mon Sep 17 00:00:00 2001
From: yugozhang <yugozhang@tencent.com>
Date: Fri, 13 Mar 2026 15:41:56 +0800
Subject: [PATCH] bump simple-git to 3.32.3, fix CVE-2026-28292.

---
 CVE-2026-28292-fix-simple-git-bug.patch | 69 +++++++++++++++++++++++++
 create_bundles.sh                       |  1 +
 grafana.spec                            | 16 ++++--
 sources                                 |  4 +-
 4 files changed, 85 insertions(+), 5 deletions(-)
 create mode 100644 CVE-2026-28292-fix-simple-git-bug.patch

diff --git a/CVE-2026-28292-fix-simple-git-bug.patch b/CVE-2026-28292-fix-simple-git-bug.patch
new file mode 100644
index 0000000..5dfeb01
--- /dev/null
+++ b/CVE-2026-28292-fix-simple-git-bug.patch
@@ -0,0 +1,69 @@
+From b8650894aadf7c66c2287dd14ddb876696e07479 Mon Sep 17 00:00:00 2001
+From: yugozhang <yugozhang@tencent.com>
+Date: Fri, 13 Mar 2026 15:45:21 +0800
+Subject: [PATCH] bump simple-git to 3.32.3, fix CVE-2026-28292.
+
+---
+ package.json |  3 ++-
+ yarn.lock    | 14 +++++++-------
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/package.json b/package.json
+index 5542730..6a1ec63 100644
+--- a/package.json
++++ b/package.json
+@@ -454,7 +454,8 @@
+     "form-data@~2.3.2": "2.5.4",
+     "form-data@^3.0.0": "3.0.4",
+     "form-data@^4.0.0": "4.0.4",
+-    "rollup": "2.80.0"
++    "rollup": "2.80.0",
++    "simple-git": "3.32.3"
+   },
+   "workspaces": {
+     "packages": [
+diff --git a/yarn.lock b/yarn.lock
+index 9f4d569..0582222 100644
+--- a/yarn.lock
++++ b/yarn.lock
+@@ -2834,7 +2834,7 @@ __metadata:
+     lines-and-columns: "npm:^2.0.3"
+     minimatch: "npm:^5.0.1"
+     prettier: "npm:^2.3.2"
+-    simple-git: "npm:^3.6.0"
++    simple-git: "npm:3.32.3"
+     ts-node: "npm:^10.2.1"
+     tslib: "npm:^2.3.1"
+     typescript: "npm:>=2.7"
+@@ -15061,7 +15061,7 @@ __metadata:
+   languageName: node
+   linkType: hard
+ 
+-"debug@npm:^4.4.1":
++"debug@npm:^4.4.0, debug@npm:^4.4.1":
+   version: 4.4.3
+   resolution: "debug@npm:4.4.3"
+   dependencies:
+@@ -28727,14 +28727,14 @@ __metadata:
+   languageName: node
+   linkType: hard
+ 
+-"simple-git@npm:^3.6.0":
+-  version: 3.16.0
+-  resolution: "simple-git@npm:3.16.0"
++"simple-git@npm:3.32.3":
++  version: 3.32.3
++  resolution: "simple-git@npm:3.32.3"
+   dependencies:
+     "@kwsites/file-exists": "npm:^1.1.1"
+     "@kwsites/promise-deferred": "npm:^1.1.1"
+-    debug: "npm:^4.3.4"
+-  checksum: b1c4b187bff2964bab47fd1b683ece275a599e9a466f7e2689ee1fea0360f7d13228e934d66095c911e7e8b57ab5f2526e3deeeb6e4d0c03e4d5f12f7ef03cd9
++    debug: "npm:^4.4.0"
++  checksum: 9ec8d0cb7a1f813fe56be71cfaf85f44960befa03528560b0d8234eab957cf2a11e62e7b90e0c88066b6db314c8559698f9c13c64602aec56e0834c7508e4c83
+   languageName: node
+   linkType: hard
+ 
+-- 
+2.43.7
+
diff --git a/create_bundles.sh b/create_bundles.sh
index 4592eb7..a42fd12 100755
--- a/create_bundles.sh
+++ b/create_bundles.sh
@@ -75,6 +75,7 @@ patch -p1 --fuzz=0 < ../CVE-2026-22029-fix-remix-run-bug.patch
 patch -p1 --fuzz=0 < ../CVE-2025-13465-and-61728.patch
 patch -p1 --fuzz=0 < ../CVE-2026-27148-fix-storybook-bug.patch
 patch -p1 --fuzz=0 < ../CVE-2026-27606-fix-rollup-bug.patch
+patch -p1 --fuzz=0 < ../CVE-2026-28292-fix-simple-git-bug.patch
 export HUSKY=0
 yarn install
 
diff --git a/grafana.spec b/grafana.spec
index f5fbea6..740364a 100644
--- a/grafana.spec
+++ b/grafana.spec
@@ -10,16 +10,16 @@
 Summary:       Metrics dashboard and graph editor
 Name:          grafana
 Version:       10.2.6
-Release:       25%{?dist}
+Release:       26%{?dist}
 License:       AGPLv3
 URL:           https://grafana.org
 Source0:       https://github.com/grafana/grafana/archive/v%{version}/%{name}-%{version}.tar.gz
 # Generated by ./create_bundles.sh
-Source1:       grafana-vendor-%{version}-25.tar.xz
+Source1:       grafana-vendor-%{version}-26.tar.xz
 
 %if %{compile_frontend} == 0
 # Generated by ./create_bundles.sh
-Source2:       grafana-webpack-%{version}-25.tar.gz
+Source2:       grafana-webpack-%{version}-26.tar.gz
 %endif
 
 Source3:       grafana.sysusers
@@ -163,6 +163,11 @@ Patch3522:    CVE-2026-27148-fix-storybook-bug.patch
 # https://github.com/rollup/rollup/security/advisories/GHSA-mw96-cpmx-2vgc
 Patch3523:    CVE-2026-27606-fix-rollup-bug.patch
 
+# CVE-2026-28292
+# bump simple-git to 3.32.3
+# https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292
+Patch3524:    CVE-2026-28292-fix-simple-git-bug.patch
+
 BuildRequires: systemd systemd-rpm-macros golang go-rpm-macros shared-mime-info hostname
 
 %if %{compile_frontend}
@@ -824,6 +829,7 @@ rm -r plugins-bundled
 %patch -P 3521 -p1
 %patch -P 3522 -p1
 %patch -P 3523 -p1
+%patch -P 3524 -p1
 
 
 %build
@@ -953,6 +959,10 @@ yarn run jest
 %{_mandir}/man1/%{name}-cli.1*
 
 %changelog
+* Fri Mar 13 2026 Zhang Yu <yugozhang@tencent.com> - 10.2.6-26
+- [type] security
+- [desc] bump simple-git to 3.32.3(CVE-2026-28292).
+
 * Mon Mar 9 2026 Zhang Yu <yugozhang@tencent.com> - 10.2.6-25
 - [type] security
 - [desc] bump rollup to 2.80.0(CVE-2026-27606).
diff --git a/sources b/sources
index 3dd6019..4c8f2db 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (grafana-10.2.6.tar.gz) = 7244f4cb6572fe0403e6224f7247fbb273bbd1f359ee706a82001f0d409fb375d113f1cb24a657e845b93eb55ee98e1d7ae713e767c219f4d3b00eaf5c73d28e
-SHA512 (grafana-webpack-10.2.6-25.tar.gz) = 4043aa068afb4953be83a5596fe74806d19d8b0f665bf59d728d1223013a81cb20ba7fc201bb6b8704c3244791e33ee96daf37259c5d70d9f50a300bd781f7df
-SHA512 (grafana-vendor-10.2.6-25.tar.xz) = 6c50e9676aa04bbca14f316d68f49806168f48ed86ad05756e8a73362e7f30debb55964fd1b2ff259b408cfbcba98389c9058969e003cd329eb1d695334b6fa6
+SHA512 (grafana-webpack-10.2.6-26.tar.gz) = 050b13baeb232491444082109687df37f42e2c77a9a7258fe6abed368a1943fe0186b42cd3964f2300e00fc2479bd36a42d6624263cba3191155e9eec5574385
+SHA512 (grafana-vendor-10.2.6-26.tar.xz) = 80aed25900c335d175249ef8f88c325880b71d39b0266b38cbb708377510f2ea8ae8caf20f39585d2fb8f628f7df37be7404b0eec294b5f1f282394a9597eba4
-- 
Gitee