Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 783483 (CVE-2020-25864, CVE-2021-28156) - <app-admin/consul-{1.7.14,1.8.10,1.9.5}: multiple vulnerabilities (CVE-2020-25864, CVE-2021-28156)
Summary: <app-admin/consul-{1.7.14,1.8.10,1.9.5}: multiple vulnerabilities (CVE-2020-2...
Status: IN_PROGRESS
Alias: CVE-2020-25864, CVE-2021-28156
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa?]
Keywords:
Depends on: CVE-2021-32574, CVE-2021-36213
Blocks:
  Show dependency tree
 
Reported: 2021-04-17 19:24 UTC by John Helmert III
Modified: 2021-10-17 19:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-04-17 19:24:09 UTC
From the changelogs:

Add content-type headers to raw KV responses to prevent XSS attacks CVE-2020-25864 [GH-10023]
audit-logging: Parse endpoint URL to prevent requests from bypassing the audit log CVE-2021-28156

Note that CVE-2021-28156 doesn't affect the 1.7 branch, our only stable version. Fixes in 1.7.14, 1.8.10, 1.9.5. Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-04-18 05:21:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb53fc78d7d478104bec662f45e2f33c3a441886

commit fb53fc78d7d478104bec662f45e2f33c3a441886
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-18 05:18:57 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-18 05:21:01 +0000

    app-admin/consul: Bump to version 1.9.5
    
    Bug: https://bugs.gentoo.org/783483
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest            |  17 +
 app-admin/consul/consul-1.9.5.ebuild | 782 +++++++++++++++++++++++++++++++++++
 2 files changed, 799 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1b505adb2dc1a5114cca19fe5f65f796560b555

commit e1b505adb2dc1a5114cca19fe5f65f796560b555
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-18 05:10:19 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-18 05:21:01 +0000

    app-admin/consul: Bump to version 1.8.10
    
    Bug: https://bugs.gentoo.org/783483
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |   1 +
 app-admin/consul/consul-1.8.10.ebuild | 801 ++++++++++++++++++++++++++++++++++
 2 files changed, 802 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b70ac5bc462fac9d59ce627f92c131ac6610fd16

commit b70ac5bc462fac9d59ce627f92c131ac6610fd16
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-18 05:00:00 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-18 05:21:00 +0000

    app-admin/consul: Bump to version 1.7.14
    
    Bug: https://bugs.gentoo.org/783483
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |   1 +
 app-admin/consul/consul-1.7.14.ebuild | 586 ++++++++++++++++++++++++++++++++++
 2 files changed, 587 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-04-18 14:39:10 UTC
Thank you! Please proceed with stabling when ready.
Comment 3 NATTkA bot gentoo-dev 2021-07-17 04:48:34 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:23:04 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:31:24 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:39:21 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:47:29 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:03:27 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:11:44 UTC
Package list is empty or all packages have requested keywords.