Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 727886 (CVE-2020-12758, CVE-2020-12797, CVE-2020-13170, CVE-2020-13250) - <app-admin/consul-1.7.4: Multiple vulnerabilities (CVE-2020-{13250,12797,13170,12758})
Summary: <app-admin/consul-1.7.4: Multiple vulnerabilities (CVE-2020-{13250,12797,1317...
Status: RESOLVED FIXED
Alias: CVE-2020-12758, CVE-2020-12797, CVE-2020-13170, CVE-2020-13250
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/hashicorp/consul/r...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-10 22:32 UTC by Sam James
Modified: 2020-07-18 00:06 UTC (History)
2 users (show)

See Also:
Package list:
=app-admin/consul-1.7.4
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-10 22:32:20 UTC
* CVE-2020-13250

Description:
"Adding an option http_config.use_cache to disable agent caching for http endpoints, because Consul’s DNS and HTTP API expose a caching feature susceptible to DoS."

* CVE-2020-12797

Description:
"Propagate and enforce changes to legacy ACL tokens rules in secondary data centers."

* CVE-2020-13170

Description:
"Only resolve local acl token in the datacenter it belongs to."

* CVE-2020-12758

Description:
"Requiring service:write permissions, a service-router entry without a destination no longer crashes Consul servers."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-10 22:33:18 UTC
@maintainer(s), please bump to 1.7.4.
Comment 2 Larry the Git Cow gentoo-dev 2020-06-11 02:51:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d38e6118ffe36ad8c922ae43fb819cad3f7a0217

commit d38e6118ffe36ad8c922ae43fb819cad3f7a0217
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-06-11 02:46:13 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-06-11 02:51:20 +0000

    app-admin/consul: Bump to version 1.7.4 (bug 727886)
    
    Bug: https://bugs.gentoo.org/727886
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest            |   1 +
 app-admin/consul/consul-1.7.4.ebuild | 513 +++++++++++++++++++++++++++++++++++
 2 files changed, 514 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-11 02:52:40 UTC
@maintainer(s), thanks! Let us know when ready for stabilisation.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-16 13:29:16 UTC
@maintainer(s), I'll add CC-ARCHES now if no objections
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-25 07:02:11 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Larry the Git Cow gentoo-dev 2020-07-18 00:00:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d9fa02d864bb12ef6e321aa70510a297aea1c32

commit 1d9fa02d864bb12ef6e321aa70510a297aea1c32
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-17 21:27:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-17 23:59:55 +0000

    app-admin/consul: security cleanup
    
    Bug: https://bugs.gentoo.org/727886
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 app-admin/consul/Manifest            |  56 ----
 app-admin/consul/consul-1.7.2.ebuild | 553 -----------------------------------
 app-admin/consul/consul-1.7.3.ebuild | 514 --------------------------------
 3 files changed, 1123 deletions(-)
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 00:06:59 UTC
GLSA vote: no

Tree is clean, closing.