783483 – (CVE-2020-25864, CVE-2021-28156) <app-admin/consul-{1.7.14,1.8.10,1.9.5}: multiple vulnerabilities (CVE-2020-25864, CVE-2021-28156)

Bug 783483 (CVE-2020-25864, CVE-2021-28156) - <app-admin/consul-{1.7.14,1.8.10,1.9.5}: multiple vulnerabilities (CVE-2020-25864, CVE-2021-28156)

Summary: <app-admin/consul-{1.7.14,1.8.10,1.9.5}: multiple vulnerabilities (CVE-2020-2...

Status:	RESOLVED FIXED

Alias:	CVE-2020-25864, CVE-2021-28156

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [glsa+]
Keywords:

Depends on:	CVE-2021-32574, CVE-2021-36213
Blocks:
	Show dependency tree

Reported:	2021-04-17 19:24 UTC by John Helmert III
Modified:	2022-08-10 04:26 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-04-17 19:24:09 UTC

From the changelogs:

Add content-type headers to raw KV responses to prevent XSS attacks CVE-2020-25864 [GH-10023]
audit-logging: Parse endpoint URL to prevent requests from bypassing the audit log CVE-2021-28156

Note that CVE-2021-28156 doesn't affect the 1.7 branch, our only stable version. Fixes in 1.7.14, 1.8.10, 1.9.5. Please bump.

Comment 1 Larry the Git Cow gentoo-dev

2021-04-18 05:21:06 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb53fc78d7d478104bec662f45e2f33c3a441886

commit fb53fc78d7d478104bec662f45e2f33c3a441886
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-18 05:18:57 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-18 05:21:01 +0000

    app-admin/consul: Bump to version 1.9.5
    
    Bug: https://bugs.gentoo.org/783483
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest            |  17 +
 app-admin/consul/consul-1.9.5.ebuild | 782 +++++++++++++++++++++++++++++++++++
 2 files changed, 799 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1b505adb2dc1a5114cca19fe5f65f796560b555

commit e1b505adb2dc1a5114cca19fe5f65f796560b555
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-18 05:10:19 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-18 05:21:01 +0000

    app-admin/consul: Bump to version 1.8.10
    
    Bug: https://bugs.gentoo.org/783483
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |   1 +
 app-admin/consul/consul-1.8.10.ebuild | 801 ++++++++++++++++++++++++++++++++++
 2 files changed, 802 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b70ac5bc462fac9d59ce627f92c131ac6610fd16

commit b70ac5bc462fac9d59ce627f92c131ac6610fd16
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-18 05:00:00 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-18 05:21:00 +0000

    app-admin/consul: Bump to version 1.7.14
    
    Bug: https://bugs.gentoo.org/783483
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |   1 +
 app-admin/consul/consul-1.7.14.ebuild | 586 ++++++++++++++++++++++++++++++++++
 2 files changed, 587 insertions(+)

Comment 2 John Helmert III archtester

2021-04-18 14:39:10 UTC

Thank you! Please proceed with stabling when ready.

Comment 3 NATTkA bot gentoo-dev

2021-07-17 04:48:34 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: app-admin/consul-1.7.14

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:23:04 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:31:24 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:39:21 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 17:47:29 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 18:03:27 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 18:11:44 UTC

Package list is empty or all packages have requested keywords.

Comment 10 Larry the Git Cow gentoo-dev

2022-08-10 04:18:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f7375fcfd657cfc3887863e562d7feab296947e9

commit f7375fcfd657cfc3887863e562d7feab296947e9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 04:07:00 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 04:17:29 +0000

    [ GLSA 202208-09 ] HashiCorp Consul: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/760696
    Bug: https://bugs.gentoo.org/783483
    Bug: https://bugs.gentoo.org/802522
    Bug: https://bugs.gentoo.org/812497
    Bug: https://bugs.gentoo.org/834006
    Bug: https://bugs.gentoo.org/838328
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-09.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

Comment 11 John Helmert III archtester

2022-08-10 04:26:24 UTC

GLSA released, all done!