CVE-2022-25243: "Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4. Please stabilize 1.9.4.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e16f81b94cb995e87e91ca2bd654861d3d993d93 commit e16f81b94cb995e87e91ca2bd654861d3d993d93 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-03-13 15:49:10 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-03-13 15:50:17 +0000 app-admin/vault: remove vulnerable versions Bug: https://bugs.gentoo.org/835070 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 4 -- app-admin/vault/vault-1.9.2.ebuild | 85 -------------------------------------- app-admin/vault/vault-1.9.3.ebuild | 85 -------------------------------------- 3 files changed, 174 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a751c9ce7dcb97b8e758b520ebe2dcb37c942ea commit 7a751c9ce7dcb97b8e758b520ebe2dcb37c942ea Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-03-13 15:48:24 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-03-13 15:50:16 +0000 app-admin/vault: stabilize 1.9.4 for amd64 Bug: https://bugs.gentoo.org/835070 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/vault-1.9.4.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=254c716d0dd35a6846f281fd4a3eaf970dc0bede commit 254c716d0dd35a6846f281fd4a3eaf970dc0bede Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-07-29 21:22:59 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-01 18:05:08 +0000 [ GLSA-202207-01 ] HashiCorp Vault: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/768312 Bug: https://bugs.gentoo.org/797244 Bug: https://bugs.gentoo.org/808093 Bug: https://bugs.gentoo.org/817269 Bug: https://bugs.gentoo.org/827945 Bug: https://bugs.gentoo.org/829493 Bug: https://bugs.gentoo.org/835070 Bug: https://bugs.gentoo.org/845405 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202207-01.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
GLSA released, all done!