Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 907925 (CVE-2023-1297, CVE-2023-2816) - <app-admin/consul-1.15.3: multiple vulnerabilities
Summary: <app-admin/consul-1.15.3: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2023-1297, CVE-2023-2816
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-06 03:49 UTC by John Helmert III
Modified: 2023-10-21 05:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-06 03:49:21 UTC 
CVE-2023-1297 (https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515):

Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3

CVE-2023-2816 (https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525):

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

Please bump to 1.15.3.
Comment 1 Larry the Git Cow gentoo-dev 2023-06-06 04:48:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd43565bacbde04cd2d5c24cf7ecdbc3451f4c28

commit dd43565bacbde04cd2d5c24cf7ecdbc3451f4c28
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2023-06-06 04:47:22 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2023-06-06 04:48:09 +0000

    app-admin/consul: add 1.15.3
    
    Bug: https://bugs.gentoo.org/907925
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |  1 +
 app-admin/consul/consul-1.15.3.ebuild | 57 +++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-12 04:26:20 UTC 
Please stabilize when ready, thanks!
Comment 3 Larry the Git Cow gentoo-dev 2023-10-21 00:53:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39881bb9bcaa4019ff5c02314eaa465bcce39084

commit 39881bb9bcaa4019ff5c02314eaa465bcce39084
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2023-10-21 00:52:24 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2023-10-21 00:52:30 +0000

    app-admin/consul: drop vulnerable 1.15.2
    
    Bug: https://bugs.gentoo.org/907925
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |  1 -
 app-admin/consul/consul-1.15.2.ebuild | 57 -----------------------------------
 2 files changed, 58 deletions(-)