Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 806055 (CVE-2021-37760)

Summary: <app-admin/graylog-{3.3.14, 4.0.10, 4.1.2}: privilege escalation (CVE-2021-37760)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: chainsaw, hydrapolic, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.graylog.org/post/announcing-graylog-v4-1-2
See Also: https://github.com/gentoo/gentoo/pull/21900
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-01 18:35:28 UTC
CVE-2021-37760:

A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).


Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-08-07 12:50:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=519ec97409d80c963d554350415a154da4a4ec98

commit 519ec97409d80c963d554350415a154da4a4ec98
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-08-06 12:32:22 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2021-08-07 12:47:51 +0000

    app-admin/graylog: drop vulnerable
    
    Bug: https://bugs.gentoo.org/806055
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/21900
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 app-admin/graylog/Manifest              |  4 --
 app-admin/graylog/graylog-3.3.11.ebuild | 83 ---------------------------------
 app-admin/graylog/graylog-3.3.13.ebuild | 83 ---------------------------------
 app-admin/graylog/graylog-4.0.5.ebuild  | 79 -------------------------------
 app-admin/graylog/graylog-4.0.7.ebuild  | 79 -------------------------------
 5 files changed, 328 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73486fdffd530d75e7eca84f0c40b1ebe2f492b9

commit 73486fdffd530d75e7eca84f0c40b1ebe2f492b9
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-08-06 12:31:48 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2021-08-07 12:47:50 +0000

    app-admin/graylog: bump to 4.1.2
    
    Bug: https://bugs.gentoo.org/806055
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 app-admin/graylog/Manifest             |  1 +
 app-admin/graylog/graylog-4.1.2.ebuild | 58 ++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=591315d7e534c6402e8a62ca1ebc812fd8321426

commit 591315d7e534c6402e8a62ca1ebc812fd8321426
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-08-06 12:22:10 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2021-08-07 12:47:50 +0000

    app-admin/graylog: bump to 4.0.10
    
    Bug: https://bugs.gentoo.org/806055
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 app-admin/graylog/Manifest              |  1 +
 app-admin/graylog/graylog-4.0.10.ebuild | 79 +++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a42daa58980139a50219659bf1d9e2bf12a9e42f

commit a42daa58980139a50219659bf1d9e2bf12a9e42f
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2021-08-06 12:20:57 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2021-08-07 12:47:50 +0000

    app-admin/graylog: bump to 3.3.14
    
    Bug: https://bugs.gentoo.org/806055
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 app-admin/graylog/Manifest              |  1 +
 app-admin/graylog/graylog-3.3.14.ebuild | 83 +++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+)