Bug 905334 (CVE-2023-0845)

Summary:	<app-admin/consul-1.14.5: authenticated DoS
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	ultrabug, zmedico
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://discuss.hashicorp.com/t/hcsec-2023-06-consul-server-panic-when-ingress-and-api-gateways-configured-with-peering-connections/51197
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	906497
Bug Blocks:

Description John Helmert III archtester

2023-04-29 21:09:14 UTC

CVE-2023-0845:

Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.

Please bump to 1.14.5.

Comment 1 John Helmert III archtester

2023-05-25 03:33:50 UTC

Please cleanup.

Comment 2 Larry the Git Cow gentoo-dev

2023-05-26 04:16:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b7ea63c243aac4fafdec6d51ccc6d28cc9f4eaf6

commit b7ea63c243aac4fafdec6d51ccc6d28cc9f4eaf6
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2023-05-26 04:15:36 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2023-05-26 04:16:37 +0000

    app-admin/consul: drop 1.14.3
    
    Bug: https://bugs.gentoo.org/905334
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |  1 -
 app-admin/consul/consul-1.14.3.ebuild | 57 -----------------------------------
 2 files changed, 58 deletions(-)

Comment 3 John Helmert III archtester

2023-05-26 04:44:51 UTC

Thanks! Requires authentication and is only a DoS anyway. All done.