Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 797244 (CVE-2021-32923)

Summary: <app-admin/vault-{1.5.9,1.6.5,1.7.3}: incorrect token expiration (CVE-2021-32923)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://discuss.hashicorp.com/t/hcsec-2021-15-vault-renewed-nearly-expired-leases-with-incorrect-non-expiring-ttls/24603
Whiteboard: B4 [glsa+]
Package list:
app-admin/vault-1.5.9
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 768312    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-21 00:42:37 UTC
CVE-2021-32923 (https://www.hashicorp.com/blog/category/vault/):

HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, and 1.7.2.


Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-06-21 02:21:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac25ddf461c172ba4d9621be08a76106dc66bb0a

commit ac25ddf461c172ba4d9621be08a76106dc66bb0a
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-06-21 02:10:16 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-06-21 02:18:36 +0000

    app-admin/vault: Bump to version 1.6.5
    
    Bug: https://bugs.gentoo.org/797244
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest                                   | 4 ++--
 app-admin/vault/{vault-1.6.3.ebuild => vault-1.6.5.ebuild} | 0
 2 files changed, 2 insertions(+), 2 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5922a1dcfd112a6afbc0e2959f229d887534e81b

commit 5922a1dcfd112a6afbc0e2959f229d887534e81b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-06-21 01:42:53 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-06-21 02:07:09 +0000

    app-admin/vault: Bump to version 1.5.9
    
    Bug: https://bugs.gentoo.org/797244
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest                                   | 4 ++--
 app-admin/vault/{vault-1.5.7.ebuild => vault-1.5.9.ebuild} | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-21 02:34:31 UTC
Thank you! Please stabilize when ready
Comment 3 Larry the Git Cow gentoo-dev 2021-06-21 02:43:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c5e6e9773bf8f60cd469d13e6f0f25257ad9239

commit 0c5e6e9773bf8f60cd469d13e6f0f25257ad9239
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-06-21 02:39:13 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-06-21 02:43:05 +0000

    app-admin/vault: Bump to version 1.7.3
    
    Bug: https://bugs.gentoo.org/797244
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest                                   | 4 ++--
 app-admin/vault/{vault-1.7.0.ebuild => vault-1.7.3.ebuild} | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-25 01:05:54 UTC
Ping
Comment 5 Larry the Git Cow gentoo-dev 2021-07-25 02:28:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=423e045bb65e7795f4e6e0354d15f43958186251

commit 423e045bb65e7795f4e6e0354d15f43958186251
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-07-25 02:24:48 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-07-25 02:28:29 +0000

    app-admin/vault: Remove vulnerable version 1.5.6
    
    Bug: https://bugs.gentoo.org/797244
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 -
 app-admin/vault/vault-1.5.6.ebuild | 78 --------------------------------------
 2 files changed, 80 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b4d30d5292d7a081b2a70ab9ad07888fa898de8

commit 8b4d30d5292d7a081b2a70ab9ad07888fa898de8
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-07-25 02:23:57 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-07-25 02:28:27 +0000

    app-admin/vault: stabilize 1.5.9
    
    Bug: https://bugs.gentoo.org/797244
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/vault-1.5.9.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-25 02:32:51 UTC
Thanks!
Comment 7 Agostino Sarubbo gentoo-dev 2021-07-28 06:42:10 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 NATTkA bot gentoo-dev 2021-09-11 05:04:36 UTC
Unable to check for sanity:

> no match for package: app-admin/vault-1.5.9
Comment 9 Larry the Git Cow gentoo-dev 2022-08-01 18:07:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=254c716d0dd35a6846f281fd4a3eaf970dc0bede

commit 254c716d0dd35a6846f281fd4a3eaf970dc0bede
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-07-29 21:22:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-01 18:05:08 +0000

    [ GLSA-202207-01 ] HashiCorp Vault: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/768312
    Bug: https://bugs.gentoo.org/797244
    Bug: https://bugs.gentoo.org/808093
    Bug: https://bugs.gentoo.org/817269
    Bug: https://bugs.gentoo.org/827945
    Bug: https://bugs.gentoo.org/829493
    Bug: https://bugs.gentoo.org/835070
    Bug: https://bugs.gentoo.org/845405
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202207-01.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-01 18:08:59 UTC
GLSA released, all done!