Bug 747157 (CVE-2020-25816)

Summary:	<app-admin/vault-{1.4.7,1.5.5}: Incorrect access control (CVE-2020-25816)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	zmedico
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	739264

Description Sam James archtester

2020-10-07 19:15:01 UTC

"Batch Token Expiry: We addressed an issue where batch token leases could outlive their TTL because we were not scheduling the expiration time correctly. This vulnerability affects Vault OSS and Vault Enterprise 1.0 and newer and is fixed in 1.4.7 and 1.5.4 (CVE-2020-25816)."

Comment 1 Sam James archtester

2020-11-16 18:58:03 UTC

ping

Comment 2 Larry the Git Cow gentoo-dev

2020-11-17 05:55:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8cc4e84cb5d22c0d1303b4875c620af0a9f99cc

commit c8cc4e84cb5d22c0d1303b4875c620af0a9f99cc
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-11-17 05:52:10 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-11-17 05:55:27 +0000

    app-admin/vault: Bump to version 1.5.5
    
    Bug: https://bugs.gentoo.org/747157
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 +
 app-admin/vault/vault-1.5.5.ebuild | 78 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03b4c32163020e5df5b6f0af4692746d43099953

commit 03b4c32163020e5df5b6f0af4692746d43099953
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-11-17 05:18:57 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-11-17 05:55:26 +0000

    app-admin/vault: Bump to version 1.4.7
    
    Bug: https://bugs.gentoo.org/747157
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 +
 app-admin/vault/vault-1.4.7.ebuild | 77 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)

Comment 3 Sam James archtester

2020-12-06 17:41:54 UTC

ready?

Comment 4 Zac Medico gentoo-dev

2020-12-06 21:06:54 UTC

Yes, please stabilize.

Comment 5 Sam James archtester

2020-12-06 23:55:23 UTC

amd64 done

all arches done

Comment 6 John Helmert III archtester

2020-12-07 01:17:01 UTC

Maintainer, please cleanup.

Comment 7 Larry the Git Cow gentoo-dev

2020-12-07 01:35:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0bb5360fbc519550d46587af5217eae2ed514ac

commit f0bb5360fbc519550d46587af5217eae2ed514ac
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-12-07 01:33:33 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-12-07 01:35:47 +0000

    app-admin/vault: Remove vulnerable CVE-2020-25816
    
    Bug: https://bugs.gentoo.org/747157
    Package-Manager: Portage-3.0.11, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 -
 app-admin/vault/vault-1.4.5.ebuild | 77 --------------------------------------
 2 files changed, 79 deletions(-)

Comment 8 John Helmert III archtester

2020-12-07 01:41:04 UTC

Thanks Zac!

Comment 9 NATTkA bot gentoo-dev

2021-01-07 10:41:05 UTC

Unable to check for sanity:

> no match for package: app-admin/vault-1.4.7

Comment 10 Sam James archtester

2021-01-25 23:48:24 UTC

GLSA vote: no