Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 760696 (CVE-2020-25201, CVE-2020-28053)

Summary: <app-admin/consul-{1.7.11,1.8.7}: multiple vulnerabilities (CVE-2020-{25201,28053})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: graaff, ultrabug, zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---

Description John Helmert III gentoo-dev Security 2020-12-19 05:59:07 UTC
CVE-2020-25201 (https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#185-october-23-2020):

HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5.

CVE-2020-28053 (https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#186-november-19-2020):

HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.


Maintainers, please bump to 1.8.6.
Comment 1 Larry the Git Cow gentoo-dev 2020-12-19 08:24:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5fcf94bbf2e99774861de3e27ae4ac92f9b8de7f

commit 5fcf94bbf2e99774861de3e27ae4ac92f9b8de7f
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-12-19 08:14:20 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-12-19 08:24:21 +0000

    app-admin/consul: Bump to version 1.8.7
    
    Bug: https://bugs.gentoo.org/760696
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest            |  59 +++
 app-admin/consul/consul-1.8.7.ebuild | 796 +++++++++++++++++++++++++++++++++++
 2 files changed, 855 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09469b1f873917d11661b27607091579fe0609ba

commit 09469b1f873917d11661b27607091579fe0609ba
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-12-19 07:59:19 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-12-19 08:24:21 +0000

    app-admin/consul: Bump to version 1.7.11
    
    Bug: https://bugs.gentoo.org/760696
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |   1 +
 app-admin/consul/consul-1.7.11.ebuild | 581 ++++++++++++++++++++++++++++++++++
 2 files changed, 582 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2020-12-19 08:39:27 UTC
Thank you! Please stabilize when ready.
Comment 3 Hans de Graaff gentoo-dev 2021-03-31 14:40:26 UTC
Any reason that this stabilization is blocked?
Comment 4 Sam James archtester gentoo-dev Security 2021-04-02 14:11:04 UTC
amd64 done

all arches done
Comment 5 John Helmert III gentoo-dev Security 2021-04-02 17:01:37 UTC
Please clenaup.
Comment 6 Larry the Git Cow gentoo-dev 2021-04-02 19:42:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bf7b30eb245c703414f3013c1fad8e3035faef8

commit 7bf7b30eb245c703414f3013c1fad8e3035faef8
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-02 19:41:44 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-02 19:42:09 +0000

    app-admin/consul: Remove old and vulnerable versions
    
    Bug: https://bugs.gentoo.org/760696
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest            |  24 --
 app-admin/consul/consul-1.7.4.ebuild | 514 ----------------------
 app-admin/consul/consul-1.8.7.ebuild | 796 -----------------------------------
 app-admin/consul/consul-1.9.1.ebuild | 775 ----------------------------------
 4 files changed, 2109 deletions(-)
Comment 7 John Helmert III gentoo-dev Security 2021-04-02 22:31:13 UTC
Thanks!
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:25:01 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:33:33 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:41:26 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:49:35 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 18:05:29 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 18:13:47 UTC
Package list is empty or all packages have requested keywords.