Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 845405 (CVE-2022-30689) - <app-admin/vault-1.10.3: incorrect MFA enforcement after server restart
Summary: <app-admin/vault-1.10.3: incorrect MFA enforcement after server restart
Status: RESOLVED FIXED
Alias: CVE-2022-30689
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://discuss.hashicorp.com/t/hcsec...
Whiteboard: B4 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-18 17:52 UTC by John Helmert III
Modified: 2022-08-01 18:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-18 17:52:31 UTC
CVE-2022-30689:

HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3.

Please stabilize 1.10.3.
Comment 1 Larry the Git Cow gentoo-dev 2022-05-20 01:52:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df47e59c71eaa1415bc762c894a681a72303ae61

commit df47e59c71eaa1415bc762c894a681a72303ae61
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-05-20 01:50:58 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-05-20 01:51:58 +0000

    app-admin/vault: drop 1.10.0, 1.10.1, 1.10.2
    
    Bug: https://bugs.gentoo.org/845405
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest            |  6 ---
 app-admin/vault/vault-1.10.0.ebuild | 85 -------------------------------------
 app-admin/vault/vault-1.10.1.ebuild | 85 -------------------------------------
 app-admin/vault/vault-1.10.2.ebuild | 85 -------------------------------------
 4 files changed, 261 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4a4e103b3f63847aa7b253d09a658ea3b054979

commit e4a4e103b3f63847aa7b253d09a658ea3b054979
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-05-20 01:50:25 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-05-20 01:51:58 +0000

    app-admin/vault: stabilize 1.10.3 for amd64
    
    Bug: https://bugs.gentoo.org/845405
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/vault-1.10.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-20 16:22:05 UTC
Thanks!
Comment 3 Larry the Git Cow gentoo-dev 2022-08-01 18:07:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=254c716d0dd35a6846f281fd4a3eaf970dc0bede

commit 254c716d0dd35a6846f281fd4a3eaf970dc0bede
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-07-29 21:22:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-01 18:05:08 +0000

    [ GLSA-202207-01 ] HashiCorp Vault: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/768312
    Bug: https://bugs.gentoo.org/797244
    Bug: https://bugs.gentoo.org/808093
    Bug: https://bugs.gentoo.org/817269
    Bug: https://bugs.gentoo.org/827945
    Bug: https://bugs.gentoo.org/829493
    Bug: https://bugs.gentoo.org/835070
    Bug: https://bugs.gentoo.org/845405
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202207-01.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-01 18:09:01 UTC
GLSA released, all done!