727886 – (CVE-2020-12758, CVE-2020-12797, CVE-2020-13170, CVE-2020-13250) <app-admin/consul-1.7.4: Multiple vulnerabilities (CVE-2020-{13250,12797,13170,12758})

Bug 727886 (CVE-2020-12758, CVE-2020-12797, CVE-2020-13170, CVE-2020-13250) - <app-admin/consul-1.7.4: Multiple vulnerabilities (CVE-2020-{13250,12797,13170,12758})

Summary: <app-admin/consul-1.7.4: Multiple vulnerabilities (CVE-2020-{13250,12797,1317...

Status:	RESOLVED FIXED

Alias:	CVE-2020-12758, CVE-2020-12797, CVE-2020-13170, CVE-2020-13250

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/hashicorp/consul/r...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-06-10 22:32 UTC by Sam James
Modified:	2020-07-18 00:06 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=app-admin/consul-1.7.4
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-06-10 22:32:20 UTC

* CVE-2020-13250

Description:
"Adding an option http_config.use_cache to disable agent caching for http endpoints, because Consul’s DNS and HTTP API expose a caching feature susceptible to DoS."

* CVE-2020-12797

Description:
"Propagate and enforce changes to legacy ACL tokens rules in secondary data centers."

* CVE-2020-13170

Description:
"Only resolve local acl token in the datacenter it belongs to."

* CVE-2020-12758

Description:
"Requiring service:write permissions, a service-router entry without a destination no longer crashes Consul servers."

Comment 1 Sam James archtester

2020-06-10 22:33:18 UTC

@maintainer(s), please bump to 1.7.4.

Comment 2 Larry the Git Cow gentoo-dev

2020-06-11 02:51:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d38e6118ffe36ad8c922ae43fb819cad3f7a0217

commit d38e6118ffe36ad8c922ae43fb819cad3f7a0217
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-06-11 02:46:13 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-06-11 02:51:20 +0000

    app-admin/consul: Bump to version 1.7.4 (bug 727886)
    
    Bug: https://bugs.gentoo.org/727886
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest            |   1 +
 app-admin/consul/consul-1.7.4.ebuild | 513 +++++++++++++++++++++++++++++++++++
 2 files changed, 514 insertions(+)

Comment 3 Sam James archtester

2020-06-11 02:52:40 UTC

@maintainer(s), thanks! Let us know when ready for stabilisation.

Comment 4 Sam James archtester

2020-06-16 13:29:16 UTC

@maintainer(s), I'll add CC-ARCHES now if no objections

Comment 5 Agostino Sarubbo gentoo-dev

2020-06-25 07:02:11 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 6 Larry the Git Cow gentoo-dev

2020-07-18 00:00:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d9fa02d864bb12ef6e321aa70510a297aea1c32

commit 1d9fa02d864bb12ef6e321aa70510a297aea1c32
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-17 21:27:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-17 23:59:55 +0000

    app-admin/consul: security cleanup
    
    Bug: https://bugs.gentoo.org/727886
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 app-admin/consul/Manifest            |  56 ----
 app-admin/consul/consul-1.7.2.ebuild | 553 -----------------------------------
 app-admin/consul/consul-1.7.3.ebuild | 514 --------------------------------
 3 files changed, 1123 deletions(-)

Comment 7 Sam James archtester

2020-07-18 00:06:59 UTC

GLSA vote: no

Tree is clean, closing.