833157 – (CVE-2022-24683, CVE-2022-24684, CVE-2022-24685, CVE-2022-24686) <sys-cluster/nomad-1.2.6: multiple vulnerabilities

Bug 833157 (CVE-2022-24683, CVE-2022-24684, CVE-2022-24685, CVE-2022-24686) - <sys-cluster/nomad-1.2.6: multiple vulnerabilities

Summary: <sys-cluster/nomad-1.2.6: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2022-24683, CVE-2022-24684, CVE-2022-24685, CVE-2022-24686

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	https://github.com/hashicorp/nomad/re...
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:	CVE-2021-37218, CVE-2021-43415
	Show dependency tree

Reported:	2022-02-12 04:13 UTC by John Helmert III
Modified:	2022-02-20 19:54 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-02-12 04:13:18 UTC

From URL:

"Add ACL requirement and HCL validation to the job parse API endpoint to prevent excessive CPU usage. CVE-2022-24685 [GH-12038]
Fix race condition in use of go-getter that could cause a client agent to download the wrong artifact into the wrong destination. CVE-2022-24686 [GH-12036]
Prevent panic in spread iterator during allocation stop. CVE-2022-24684 [GH-12039]
Resolve symlinks to prevent unauthorized access to files outside the allocation directory. CVE-2022-24683 [GH-12037]"

Comment 1 John Helmert III archtester

2022-02-12 04:13:34 UTC

Please bump to 1.2.6.

Comment 2 Larry the Git Cow gentoo-dev

2022-02-15 17:40:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c21bc0f0950d9fbacfcd7c008176e927c726ce7e

commit c21bc0f0950d9fbacfcd7c008176e927c726ce7e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-02-15 17:36:40 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-02-15 17:39:50 +0000

    sys-cluster/nomad:  1.2.6 bump
    
    Bug: https://bugs.gentoo.org/812494
    Bug: https://bugs.gentoo.org/833157
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 sys-cluster/nomad/Manifest            |  2 ++
 sys-cluster/nomad/files/nomad.service | 29 +++++++++++++++++++++
 sys-cluster/nomad/nomad-1.2.6.ebuild  | 49 +++++++++++++++++++++++++++++++++++
 3 files changed, 80 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2022-02-20 18:53:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=010bb3a5ba073cc25e34ec9c001154e38aa7f789

commit 010bb3a5ba073cc25e34ec9c001154e38aa7f789
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-02-20 18:51:24 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-02-20 18:52:48 +0000

    sys-cluster/nomad: remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/812494
    Bug: https://bugs.gentoo.org/833157
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 sys-cluster/nomad/Manifest           |  1 -
 sys-cluster/nomad/metadata.xml       |  1 -
 sys-cluster/nomad/nomad-1.0.9.ebuild | 45 ------------------------------------
 3 files changed, 47 deletions(-)

Comment 4 John Helmert III archtester

2022-02-20 19:54:04 UTC

Thanks, all done!