Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 888593 (CVE-2019-14802)

Summary: sys-cluster/nomad: environment leakage into template rendering
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://advisories.gitlab.com/advisory/advgo_github_com_hashicorp_nomad_client_allocrunner_taskrunner_template_GMS_2022_818.html
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-27 03:01:09 UTC 
CVE-2019-14802:

HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template.

Bit troubling that the "GMS" at URL was last modified on 2022-04-13,
but the CVE was only published today.

Please bump to 0.9.5.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-21 00:18:16 UTC 
Oh, I guess a vulnerable version was never in Gentoo.