From URL, "auto-config: Added input validation for auto-config JWT authorization checks. Prior to this change, it was possible for malicious actors to construct requests which incorrectly pass custom JWT claim validation for the AutoConfig.InitialConfiguration endpoint. Now, only a subset of characters are allowed for the input before evaluating the bexpr. [GH-14577] connect: Added URI length checks to ConnectCA CSR requests. Prior to this change, it was possible for a malicious actor to designate multiple SAN URI values in a call to the ConnectCA.Sign endpoint. The endpoint now only allows for exactly one SAN URI to be specified. [GH-14579]" Please bump to 1.12.5. I suppose more releases are coming though, presumably
1.11.9 released with the same fixes
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09a02fbc62b628b2d770269609bdfbabaf2fc072 commit 09a02fbc62b628b2d770269609bdfbabaf2fc072 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-09-21 00:31:24 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-09-21 00:32:35 +0000 app-admin/consul: add 1.13.2 Bug: https://bugs.gentoo.org/872086 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/consul/Manifest | 2 ++ app-admin/consul/consul-1.13.2.ebuild | 56 +++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e25044588d42f54e73c31ba69db9570f8fc3f4c3 commit e25044588d42f54e73c31ba69db9570f8fc3f4c3 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-09-21 00:06:44 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-09-21 00:32:35 +0000 app-admin/consul: add 1.12.5 Bug: https://bugs.gentoo.org/872086 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/consul/Manifest | 2 ++ app-admin/consul/consul-1.12.5.ebuild | 51 +++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b7aec9a8f7b6a672503ce305af7d0e3c3578cf50 commit b7aec9a8f7b6a672503ce305af7d0e3c3578cf50 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-09-21 00:33:48 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-09-21 00:34:08 +0000 app-admin/consul: drop 1.12.4, 1.13.1 Bug: https://bugs.gentoo.org/872086 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/consul/Manifest | 4 --- app-admin/consul/consul-1.12.4.ebuild | 51 ------------------------------- app-admin/consul/consul-1.13.1.ebuild | 56 ----------------------------------- 3 files changed, 111 deletions(-)
What of 1.9.x?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b85fd58a10f811f1152c29f69c522bc58098f390 commit b85fd58a10f811f1152c29f69c522bc58098f390 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-09-21 12:57:21 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-09-21 12:57:27 +0000 app-admin/consul: drop 1.9.17 Bug: https://bugs.gentoo.org/872086 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/consul/Manifest | 2 -- app-admin/consul/consul-1.9.17.ebuild | 56 ----------------------------------- 2 files changed, 58 deletions(-)
Thanks! No CVEs so I guess Hashicorp doesn't think these issues are important enough. No GLSA.
