Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 761963 (CVE-2020-35177, CVE-2020-35453) - <app-admin/vault-{1.5.6,1.6.1}: multiple vulnerabilities (CVE-2020-{35177,35453})
Summary: <app-admin/vault-{1.5.6,1.6.1}: multiple vulnerabilities (CVE-2020-{35177,354...
Status: RESOLVED FIXED
Alias: CVE-2020-35177, CVE-2020-35453
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-27 19:08 UTC by John Helmert III
Modified: 2021-01-26 00:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-27 19:08:55 UTC 
CVE-2020-35177 (https://discuss.hashicorp.com/t/hcsec-2020-25-vault-s-ldap-auth-method-allows-user-enumeration/18984):

HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.

CVE-2020-35453 (https://discuss.hashicorp.com/t/hcsec-2020-24-vault-enterprise-s-sentinel-egp-policies-may-impact-parent-or-sibling-namespaces/18983):

HashiCorp Vault Enterprise’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.


Maintainer, please bump to 1.5.6 and 1.6.1. Thanks!
Comment 1 Larry the Git Cow gentoo-dev 2020-12-27 21:48:09 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c770714b3ad77efd7d13d925cb5540def7341c7

commit 2c770714b3ad77efd7d13d925cb5540def7341c7
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-12-27 21:46:28 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-12-27 21:47:55 +0000

    app-admin/vault: Bump to version 1.6.1
    
    Bug: https://bugs.gentoo.org/761963
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 +
 app-admin/vault/vault-1.6.1.ebuild | 78 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bfebed24ab184d1c1da540e3a8f3ab01f149de61

commit bfebed24ab184d1c1da540e3a8f3ab01f149de61
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-12-27 21:01:40 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-12-27 21:47:54 +0000

    app-admin/vault: Bump to version 1.5.6
    
    Bug: https://bugs.gentoo.org/761963
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 +
 app-admin/vault/vault-1.5.6.ebuild | 78 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-27 21:54:22 UTC 
Thank you! Please proceed with stabilization when ready.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-06 00:54:37 UTC 
Ready?
Comment 4 Zac Medico gentoo-dev 2021-01-06 01:22:06 UTC 
Ready.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-06 01:26:11 UTC 
Thanks!
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 10:05:21 UTC 
amd64 done

all arches done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 10:12:43 UTC 
Please cleanup, thanks!
Comment 8 Larry the Git Cow gentoo-dev 2021-01-07 10:36:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d45a14aeebe8a0e7e53e6107c2a71c4f83b0238f

commit d45a14aeebe8a0e7e53e6107c2a71c4f83b0238f
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-01-07 10:35:26 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-01-07 10:36:15 +0000

    app-admin/vault: Remove vulnerable version 1.4.7
    
    Bug: https://bugs.gentoo.org/761963
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 -
 app-admin/vault/vault-1.4.7.ebuild | 77 --------------------------------------
 2 files changed, 79 deletions(-)