Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 797244 (CVE-2021-32923) - <app-admin/vault-{1.5.9,1.6.5,1.7.3}: incorrect token expiration (CVE-2021-32923)
Summary: <app-admin/vault-{1.5.9,1.6.5,1.7.3}: incorrect token expiration (CVE-2021-32...
Status: RESOLVED FIXED
Alias: CVE-2021-32923
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://discuss.hashicorp.com/t/hcsec...
Whiteboard: B4 [glsa+]
Keywords:
Depends on:
Blocks: CVE-2020-25594, CVE-2021-27668, CVE-2021-3024, CVE-2021-3282
  Show dependency tree
 
Reported: 2021-06-21 00:42 UTC by John Helmert III
Modified: 2022-08-01 18:09 UTC (History)
1 user (show)

See Also:
Package list:
app-admin/vault-1.5.9
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-21 00:42:37 UTC
CVE-2021-32923 (https://www.hashicorp.com/blog/category/vault/):

HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.


Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-06-21 02:21:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac25ddf461c172ba4d9621be08a76106dc66bb0a

commit ac25ddf461c172ba4d9621be08a76106dc66bb0a
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-06-21 02:10:16 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-06-21 02:18:36 +0000

    app-admin/vault: Bump to version 1.6.5
    
    Bug: https://bugs.gentoo.org/797244
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest                                   | 4 ++--
 app-admin/vault/{vault-1.6.3.ebuild => vault-1.6.5.ebuild} | 0
 2 files changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5922a1dcfd112a6afbc0e2959f229d887534e81b

commit 5922a1dcfd112a6afbc0e2959f229d887534e81b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-06-21 01:42:53 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-06-21 02:07:09 +0000

    app-admin/vault: Bump to version 1.5.9
    
    Bug: https://bugs.gentoo.org/797244
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest                                   | 4 ++--
 app-admin/vault/{vault-1.5.7.ebuild => vault-1.5.9.ebuild} | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-21 02:34:31 UTC
Thank you! Please stabilize when ready
Comment 3 Larry the Git Cow gentoo-dev 2021-06-21 02:43:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c5e6e9773bf8f60cd469d13e6f0f25257ad9239

commit 0c5e6e9773bf8f60cd469d13e6f0f25257ad9239
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-06-21 02:39:13 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-06-21 02:43:05 +0000

    app-admin/vault: Bump to version 1.7.3
    
    Bug: https://bugs.gentoo.org/797244
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest                                   | 4 ++--
 app-admin/vault/{vault-1.7.0.ebuild => vault-1.7.3.ebuild} | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-25 01:05:54 UTC
Ping
Comment 5 Larry the Git Cow gentoo-dev 2021-07-25 02:28:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=423e045bb65e7795f4e6e0354d15f43958186251

commit 423e045bb65e7795f4e6e0354d15f43958186251
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-07-25 02:24:48 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-07-25 02:28:29 +0000

    app-admin/vault: Remove vulnerable version 1.5.6
    
    Bug: https://bugs.gentoo.org/797244
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 -
 app-admin/vault/vault-1.5.6.ebuild | 78 --------------------------------------
 2 files changed, 80 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b4d30d5292d7a081b2a70ab9ad07888fa898de8

commit 8b4d30d5292d7a081b2a70ab9ad07888fa898de8
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-07-25 02:23:57 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-07-25 02:28:27 +0000

    app-admin/vault: stabilize 1.5.9
    
    Bug: https://bugs.gentoo.org/797244
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/vault-1.5.9.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-25 02:32:51 UTC
Thanks!
Comment 7 Agostino Sarubbo gentoo-dev 2021-07-28 06:42:10 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 NATTkA bot gentoo-dev 2021-09-11 05:04:36 UTC
Unable to check for sanity:

> no match for package: app-admin/vault-1.5.9
Comment 9 Larry the Git Cow gentoo-dev 2022-08-01 18:07:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=254c716d0dd35a6846f281fd4a3eaf970dc0bede

commit 254c716d0dd35a6846f281fd4a3eaf970dc0bede
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-07-29 21:22:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-01 18:05:08 +0000

    [ GLSA-202207-01 ] HashiCorp Vault: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/768312
    Bug: https://bugs.gentoo.org/797244
    Bug: https://bugs.gentoo.org/808093
    Bug: https://bugs.gentoo.org/817269
    Bug: https://bugs.gentoo.org/827945
    Bug: https://bugs.gentoo.org/829493
    Bug: https://bugs.gentoo.org/835070
    Bug: https://bugs.gentoo.org/845405
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202207-01.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-01 18:08:59 UTC
GLSA released, all done!