Summary: | <app-admin/vault-{1.11.9,1.12.5}: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | minor | CC: | zmedico |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [glsa?] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
![]() ![]() ![]() ![]() The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36e59bfe01ebf40d9b0af0cc0e0c80a3223cae39 commit 36e59bfe01ebf40d9b0af0cc0e0c80a3223cae39 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2023-04-06 04:17:43 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2023-04-06 04:23:00 +0000 app-admin/vault: add 1.12.5 Bug: https://bugs.gentoo.org/903806 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 2 + app-admin/vault/vault-1.12.5.ebuild | 86 +++++++++++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3b9acded02e1aebce501a5537010e991670dc0b commit e3b9acded02e1aebce501a5537010e991670dc0b Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2023-04-06 03:58:30 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2023-04-06 04:22:59 +0000 app-admin/vault: add 1.11.9 Bug: https://bugs.gentoo.org/903806 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 2 + app-admin/vault/vault-1.11.9.ebuild | 86 +++++++++++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+) CVE-2023-24999 (https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305): HashiCorp Vault and Vault Enterprise’s approle auth method allowed any authenticated user with access to an approle destroy endpoint to destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability is fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. |