829493 – (CVE-2021-45042) <app-admin/vault-{1.8.6,1.9.1}: authenticated DoS (CVE-2021-45042)

Bug 829493 (CVE-2021-45042) - <app-admin/vault-{1.8.6,1.9.1}: authenticated DoS (CVE-2021-45042)

Summary: <app-admin/vault-{1.8.6,1.9.1}: authenticated DoS (CVE-2021-45042)

Status:	RESOLVED FIXED

Alias:	CVE-2021-45042

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://discuss.hashicorp.com/t/hcsec...
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2021-12-17 18:00 UTC by John Helmert III
Modified:	2022-08-01 18:09 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-12-17 18:00:40 UTC

CVE-2021-45042:

In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.


Please stabilize 1.8.6.

Comment 1 Larry the Git Cow gentoo-dev

2021-12-18 21:18:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=49e506f623779fe9bb8b1b5580a2a696dc935a47

commit 49e506f623779fe9bb8b1b5580a2a696dc935a47
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-12-18 21:15:29 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-12-18 21:18:20 +0000

    app-admin/vault: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/829493
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |    7 -
 app-admin/vault/vault-1.8.5.ebuild | 1837 ----------------------------------
 app-admin/vault/vault-1.9.0.ebuild | 1898 ------------------------------------
 3 files changed, 3742 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e6ed71b6f62c3be3f384486c417a855e907d8d5

commit 2e6ed71b6f62c3be3f384486c417a855e907d8d5
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-12-18 21:13:48 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-12-18 21:18:19 +0000

    app-admin/vault: stabilize 1.8.6 for amd64
    
    Bug: https://bugs.gentoo.org/829493
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/vault-1.8.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 2 John Helmert III archtester

2021-12-19 00:14:49 UTC

Thank you!

Comment 3 Larry the Git Cow gentoo-dev

2022-08-01 18:07:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=254c716d0dd35a6846f281fd4a3eaf970dc0bede

commit 254c716d0dd35a6846f281fd4a3eaf970dc0bede
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-07-29 21:22:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-01 18:05:08 +0000

    [ GLSA-202207-01 ] HashiCorp Vault: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/768312
    Bug: https://bugs.gentoo.org/797244
    Bug: https://bugs.gentoo.org/808093
    Bug: https://bugs.gentoo.org/817269
    Bug: https://bugs.gentoo.org/827945
    Bug: https://bugs.gentoo.org/829493
    Bug: https://bugs.gentoo.org/835070
    Bug: https://bugs.gentoo.org/845405
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202207-01.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

Comment 4 John Helmert III archtester

2022-08-01 18:09:02 UTC

GLSA released, all done!