885997 – <app-admin/consul-1.14.3: DoS via Go http server vulnerability

Bug 885997 - <app-admin/consul-1.14.3: DoS via Go http server vulnerability

Summary: <app-admin/consul-1.14.3: DoS via Go http server vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/hashicorp/consul/r...
Whiteboard:	B3 [glsa+]
Keywords:

Depends on:	889972
Blocks:	CVE-2022-41717
	Show dependency tree

Reported:	2022-12-14 23:20 UTC by John Helmert III
Modified:	2024-09-28 07:10 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-12-14 23:20:05 UTC

CVE-2022-41717 (https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ):

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

Please bump to consul 1.14.3.

Comment 1 Larry the Git Cow gentoo-dev

2022-12-15 00:37:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c501ac7b943fc7f87eca2f6ca002de59afdb6caf

commit c501ac7b943fc7f87eca2f6ca002de59afdb6caf
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-12-15 00:35:32 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-12-15 00:35:37 +0000

    app-admin/consul: add 1.14.3
    
    Bug: https://bugs.gentoo.org/885997
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |  1 +
 app-admin/consul/consul-1.14.3.ebuild | 57 +++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+)

Comment 2 John Helmert III archtester

2022-12-15 01:00:24 UTC

Thanks! Please stable when ready.

Comment 3 Larry the Git Cow gentoo-dev

2023-01-06 22:13:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7981ce133ff280edc16d7b0427c3db998e0bdcbf

commit 7981ce133ff280edc16d7b0427c3db998e0bdcbf
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2023-01-06 22:12:37 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2023-01-06 22:12:52 +0000

    app-admin/consul: drop 1.14.2
    
    Bug: https://bugs.gentoo.org/885997
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |  1 -
 app-admin/consul/consul-1.14.2.ebuild | 57 -----------------------------------
 2 files changed, 58 deletions(-)

Comment 4 John Helmert III archtester

2023-01-08 17:03:46 UTC

Thanks!

Comment 5 Larry the Git Cow gentoo-dev

2024-09-28 07:08:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=8a3d44eb74b568274245ae6d51f0f6e4e1a56686

commit 8a3d44eb74b568274245ae6d51f0f6e4e1a56686
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-28 07:08:23 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-28 07:08:31 +0000

    [ GLSA 202409-28 ] HashiCorp Consul: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/885997
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-28.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)