747157 – (CVE-2020-25816) <app-admin/vault-{1.4.7,1.5.5}: Incorrect access control (CVE-2020-25816)

Bug 747157 (CVE-2020-25816) - <app-admin/vault-{1.4.7,1.5.5}: Incorrect access control (CVE-2020-25816)

Summary: <app-admin/vault-{1.4.7,1.5.5}: Incorrect access control (CVE-2020-25816)

Status:	RESOLVED FIXED

Alias:	CVE-2020-25816

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:	CVE-2020-16250, CVE-2020-16251
	Show dependency tree

Reported:	2020-10-07 19:15 UTC by Sam James
Modified:	2021-01-25 23:48 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-10-07 19:15:01 UTC

"Batch Token Expiry: We addressed an issue where batch token leases could outlive their TTL because we were not scheduling the expiration time correctly. This vulnerability affects Vault OSS and Vault Enterprise 1.0 and newer and is fixed in 1.4.7 and 1.5.4 (CVE-2020-25816)."

Comment 1 Sam James archtester

2020-11-16 18:58:03 UTC

ping

Comment 2 Larry the Git Cow gentoo-dev

2020-11-17 05:55:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8cc4e84cb5d22c0d1303b4875c620af0a9f99cc

commit c8cc4e84cb5d22c0d1303b4875c620af0a9f99cc
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-11-17 05:52:10 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-11-17 05:55:27 +0000

    app-admin/vault: Bump to version 1.5.5
    
    Bug: https://bugs.gentoo.org/747157
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 +
 app-admin/vault/vault-1.5.5.ebuild | 78 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03b4c32163020e5df5b6f0af4692746d43099953

commit 03b4c32163020e5df5b6f0af4692746d43099953
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-11-17 05:18:57 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-11-17 05:55:26 +0000

    app-admin/vault: Bump to version 1.4.7
    
    Bug: https://bugs.gentoo.org/747157
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 +
 app-admin/vault/vault-1.4.7.ebuild | 77 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)

Comment 3 Sam James archtester

2020-12-06 17:41:54 UTC

ready?

Comment 4 Zac Medico gentoo-dev

2020-12-06 21:06:54 UTC

Yes, please stabilize.

Comment 5 Sam James archtester

2020-12-06 23:55:23 UTC

amd64 done

all arches done

Comment 6 John Helmert III archtester

2020-12-07 01:17:01 UTC

Maintainer, please cleanup.

Comment 7 Larry the Git Cow gentoo-dev

2020-12-07 01:35:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0bb5360fbc519550d46587af5217eae2ed514ac

commit f0bb5360fbc519550d46587af5217eae2ed514ac
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-12-07 01:33:33 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-12-07 01:35:47 +0000

    app-admin/vault: Remove vulnerable CVE-2020-25816
    
    Bug: https://bugs.gentoo.org/747157
    Package-Manager: Portage-3.0.11, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 -
 app-admin/vault/vault-1.4.5.ebuild | 77 --------------------------------------
 2 files changed, 79 deletions(-)

Comment 8 John Helmert III archtester

2020-12-07 01:41:04 UTC

Thanks Zac!

Comment 9 NATTkA bot gentoo-dev

2021-01-07 10:41:05 UTC

Unable to check for sanity:

> no match for package: app-admin/vault-1.4.7

Comment 10 Sam James archtester

2021-01-25 23:48:24 UTC

GLSA vote: no