Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 739264 (CVE-2020-16250, CVE-2020-16251)

Summary: <app-admin/vault-{1.4.5, 1.5.2}: Multiple vulnerabilities (CVE-2020-{16250,16251})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/hashicorp/vault/blob/002a565d7b0b207e2fc90ee7253da030ce17b6e7/CHANGELOG.md#151
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 747157    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-27 13:47:25 UTC 
* CVE-2020-16250

Description:
"HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1"

* CVE-2020-16251
	
Description:
"HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-27 13:48:22 UTC 
Please bump to 1.4.4, 1.5.1.
Comment 2 Larry the Git Cow gentoo-dev 2020-08-27 22:01:58 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6baa401912ce4ec8fff9722123003b50c256cebf

commit 6baa401912ce4ec8fff9722123003b50c256cebf
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-08-27 21:51:11 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-08-27 22:01:51 +0000

    app-admin/vault: Bump to version 1.5.2
    
    Bug: https://bugs.gentoo.org/739264
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 +
 app-admin/vault/vault-1.5.2.ebuild | 78 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06a7fb42c45291cd124c4e818b4c2067c3f86e8b

commit 06a7fb42c45291cd124c4e818b4c2067c3f86e8b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-08-27 21:39:32 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-08-27 22:01:51 +0000

    app-admin/vault: Bump to version 1.4.5
    
    Bug: https://bugs.gentoo.org/739264
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 +
 app-admin/vault/vault-1.4.5.ebuild | 77 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-28 03:42:06 UTC 
Thanks! Please stable when ready.
Comment 4 Agostino Sarubbo gentoo-dev 2020-10-09 11:12:21 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 NATTkA bot gentoo-dev 2020-10-09 11:12:57 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2020-12-07 01:36:58 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2020-12-07 01:46:44 UTC 
Unable to check for sanity:

> no match for package: app-admin/vault-1.4.5
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 23:48:14 UTC 
GLSA vote: no