CVE-2020-25594 (https://discuss.hashicorp.com/t/hcsec-2021-03-vault-api-endpoint-allowed-enumeration-of-secrets-engine-mount-paths-without-authentication/20336): HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. CVE-2021-3024 (https://discuss.hashicorp.com/t/hcsec-2021-02-vault-api-endpoint-exposed-internal-ip-address-without-authentication/20334): HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. CVE-2021-3282 (https://discuss.hashicorp.com/t/hcsec-2021-04-vault-enterprise-s-dr-secondaries-allowed-raft-peer-removal-without-authentication/20337): HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62f5d7318ff141bbff793f734b157d9ec325560b commit 62f5d7318ff141bbff793f734b157d9ec325560b Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-02-26 01:12:46 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-02-26 01:16:12 +0000 app-admin/vault: Bump to version 1.6.3 Bug: https://bugs.gentoo.org/768312 Package-Manager: Portage-3.0.15, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 2 + app-admin/vault/vault-1.6.3.ebuild | 78 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=80562755d126ae8b3b59be7e12aea5f9a213e548 commit 80562755d126ae8b3b59be7e12aea5f9a213e548 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-02-26 01:07:31 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-02-26 01:16:12 +0000 app-admin/vault: Bump to version 1.5.7 Bug: https://bugs.gentoo.org/768312 Package-Manager: Portage-3.0.15, Repoman-3.0.2 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 2 + app-admin/vault/vault-1.5.7.ebuild | 78 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+)
1.6.3 has this: https://discuss.hashicorp.com/t/hcsec-2021-05-vault-enterprise-s-dr-secondaries-exposed-license-metadata-without-authentication/21427 Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated reading of Vault licenses from DR Secondaries. This vulnerability affects Vault and Vault Enterprise and is fixed in 1.6.3 (CVE-2021-27668).
Well, not sure how I missed this, but now we've got another Vault security bug we can handle this with.
Package list is empty or all packages have requested keywords.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=254c716d0dd35a6846f281fd4a3eaf970dc0bede commit 254c716d0dd35a6846f281fd4a3eaf970dc0bede Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-07-29 21:22:59 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-01 18:05:08 +0000 [ GLSA-202207-01 ] HashiCorp Vault: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/768312 Bug: https://bugs.gentoo.org/797244 Bug: https://bugs.gentoo.org/808093 Bug: https://bugs.gentoo.org/817269 Bug: https://bugs.gentoo.org/827945 Bug: https://bugs.gentoo.org/829493 Bug: https://bugs.gentoo.org/835070 Bug: https://bugs.gentoo.org/845405 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202207-01.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
GLSA released, all done!
