Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 838328 (CVE-2022-29153)

Summary: <app-admin/consul-{1.9.17,1.10.10,1.11.5}: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ultrabug, zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-14 13:52:24 UTC
From 1.10.10 and 1.11.5 changelogs:

"* agent: Added a new check field, `disable_redirects`, that allows for disabling the following of redirects for HTTP checks. The intention is to default this to true in a future release so that redirects must explicitly be enabled. [[GH-12685](https://github.com/hashicorp/consul/issues/12685)]
* connect: Properly set SNI when configured for services behind a terminating gateway. [[GH-12672](https://github.com/hashicorp/consul/issues/12672)]"

Please bump to 1.10.10 and 1.11.5.
Comment 1 Larry the Git Cow gentoo-dev 2022-04-15 03:41:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fea1f1badc78c65ff5f840284058a5b44c0d60d7

commit fea1f1badc78c65ff5f840284058a5b44c0d60d7
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-04-15 03:39:10 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-04-15 03:41:46 +0000

    app-admin/consul: add 1.9.17
    
    Bug: https://bugs.gentoo.org/838328
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |   1 +
 app-admin/consul/consul-1.9.17.ebuild | 795 ++++++++++++++++++++++++++++++++++
 2 files changed, 796 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-04-15 03:46:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=576de6cde0f63cbed8b2bad198485b03b4ead2b2

commit 576de6cde0f63cbed8b2bad198485b03b4ead2b2
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-04-15 03:44:53 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-04-15 03:44:58 +0000

    app-admin/consul: drop vulnerable versions
    
    Bug: https://bugs.gentoo.org/838328
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |   8 -
 app-admin/consul/consul-1.10.9.ebuild | 797 ---------------------------------
 app-admin/consul/consul-1.11.4.ebuild | 812 ----------------------------------
 app-admin/consul/consul-1.9.15.ebuild | 793 ---------------------------------
 app-admin/consul/consul-1.9.16.ebuild | 793 ---------------------------------
 5 files changed, 3203 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68be82ed111c6486e30433fd8727da6837f0b7e4

commit 68be82ed111c6486e30433fd8727da6837f0b7e4
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-04-15 03:43:45 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-04-15 03:44:06 +0000

    app-admin/consul: stabilize 1.9.17 for amd64
    
    Bug: https://bugs.gentoo.org/838328
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/consul-1.9.17.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-15 14:18:54 UTC
Thanks!
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-20 17:07:34 UTC
CVE-2022-29153 (https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393):

HashiCorp Consul and Consul Enterprise through 2022-04-12 allow SSRF.
Comment 5 Larry the Git Cow gentoo-dev 2022-08-10 04:18:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f7375fcfd657cfc3887863e562d7feab296947e9

commit f7375fcfd657cfc3887863e562d7feab296947e9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 04:07:00 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 04:17:29 +0000

    [ GLSA 202208-09 ] HashiCorp Consul: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/760696
    Bug: https://bugs.gentoo.org/783483
    Bug: https://bugs.gentoo.org/802522
    Bug: https://bugs.gentoo.org/812497
    Bug: https://bugs.gentoo.org/834006
    Bug: https://bugs.gentoo.org/838328
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-09.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 04:20:47 UTC
GLSA released, all done!