CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. vault fixes are in 1.13.9, 1.14.5, 1.15.1, please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67b9baf73ff32079684ca6f74976279592fe2279 commit 67b9baf73ff32079684ca6f74976279592fe2279 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2023-11-25 06:01:00 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2023-11-25 06:01:48 +0000 app-admin/vault: add 1.14.5 Bug: https://bugs.gentoo.org/918420 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 2 + app-admin/vault/vault-1.14.5.ebuild | 86 +++++++++++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+)
Thanks! Please stabilize when ready
CVE-2023-5077 (https://discuss.hashicorp.com/t/hcsec-2023-30-vault-s-google-cloud-secrets-engine-removed-existing-iam-conditions-when-creating-updating-rolesets/58654): The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0. CVE-2023-4680 (https://discuss.hashicorp.com/t/hcsec-2023-28-vault-s-transit-secrets-engine-allowed-nonce-specified-without-convergent-encryption/58249): HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11. CVE-2023-3462 (https://discuss.hashicorp.com/t/hcsec-2023-24-vaults-ldap-auth-method-allows-for-user-enumeration/56714): HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5. A few more fixed lately where 1.14.5 should be the first fixed version.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d3dc6d293215df88738f2a04ebcb545b97c0e58 commit 4d3dc6d293215df88738f2a04ebcb545b97c0e58 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2023-12-18 03:05:42 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2023-12-18 03:07:07 +0000 app-admin/vault: drop 1.12.7 Bug: https://bugs.gentoo.org/918420 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 2 - app-admin/vault/vault-1.12.7.ebuild | 86 ------------------------------------- 2 files changed, 88 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=796a43c68f3e90847bdaeaa5b5ad9eaaf5c1acd2 commit 796a43c68f3e90847bdaeaa5b5ad9eaaf5c1acd2 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2023-12-18 03:03:41 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2023-12-18 03:07:07 +0000 app-admin/vault: stabilize 1.14.5 for amd64 Bug: https://bugs.gentoo.org/918420 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/vault-1.14.5.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
