CVE-2021-41802: HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59132e7f66ea56403edd90f64989b6e0366ced49 commit 59132e7f66ea56403edd90f64989b6e0366ced49 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-10-10 05:18:26 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-10-10 05:21:02 +0000 app-admin/vault: 1.8.4 bump Bug: https://bugs.gentoo.org/817269 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 26 +++++++++++++++-- .../{vault-1.8.3.ebuild => vault-1.8.4.ebuild} | 34 ++++++++++++++-------- 2 files changed, 46 insertions(+), 14 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5927a8d4398844e2b6beecff6d667b9a824bac83 commit 5927a8d4398844e2b6beecff6d667b9a824bac83 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-10-10 05:27:09 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-10-10 05:27:20 +0000 app-admin/vault: Remove vulnerable version 1.8.2 Bug: https://bugs.gentoo.org/817269 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 16 - app-admin/vault/vault-1.8.2.ebuild | 1827 ------------------------------------ 2 files changed, 1843 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8da5b190763ea6b9ee15e791312c00ac92d685a commit a8da5b190763ea6b9ee15e791312c00ac92d685a Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-10-10 05:25:44 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-10-10 05:26:10 +0000 app-admin/vault: stable 1.8.4 for amd64, bug #817269 Bug: https://bugs.gentoo.org/817269 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/vault-1.8.4.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Unable to check for sanity: > no match for package: app-admin/vault-1.8.4
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=254c716d0dd35a6846f281fd4a3eaf970dc0bede commit 254c716d0dd35a6846f281fd4a3eaf970dc0bede Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-07-29 21:22:59 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-01 18:05:08 +0000 [ GLSA-202207-01 ] HashiCorp Vault: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/768312 Bug: https://bugs.gentoo.org/797244 Bug: https://bugs.gentoo.org/808093 Bug: https://bugs.gentoo.org/817269 Bug: https://bugs.gentoo.org/827945 Bug: https://bugs.gentoo.org/829493 Bug: https://bugs.gentoo.org/835070 Bug: https://bugs.gentoo.org/845405 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202207-01.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
GLSA released, all done!
