Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 760696 (CVE-2020-25201, CVE-2020-28053) - <app-admin/consul-{1.7.11,1.8.7}: multiple vulnerabilities (CVE-2020-{25201,28053})
Summary: <app-admin/consul-{1.7.11,1.8.7}: multiple vulnerabilities (CVE-2020-{25201,2...
Status: RESOLVED FIXED
Alias: CVE-2020-25201, CVE-2020-28053
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-19 05:59 UTC by John Helmert III
Modified: 2022-08-10 04:28 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-19 05:59:07 UTC
CVE-2020-25201 (https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#185-october-23-2020):

HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5.

CVE-2020-28053 (https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#186-november-19-2020):

HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.


Maintainers, please bump to 1.8.6.
Comment 1 Larry the Git Cow gentoo-dev 2020-12-19 08:24:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5fcf94bbf2e99774861de3e27ae4ac92f9b8de7f

commit 5fcf94bbf2e99774861de3e27ae4ac92f9b8de7f
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-12-19 08:14:20 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-12-19 08:24:21 +0000

    app-admin/consul: Bump to version 1.8.7
    
    Bug: https://bugs.gentoo.org/760696
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest            |  59 +++
 app-admin/consul/consul-1.8.7.ebuild | 796 +++++++++++++++++++++++++++++++++++
 2 files changed, 855 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09469b1f873917d11661b27607091579fe0609ba

commit 09469b1f873917d11661b27607091579fe0609ba
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-12-19 07:59:19 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-12-19 08:24:21 +0000

    app-admin/consul: Bump to version 1.7.11
    
    Bug: https://bugs.gentoo.org/760696
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |   1 +
 app-admin/consul/consul-1.7.11.ebuild | 581 ++++++++++++++++++++++++++++++++++
 2 files changed, 582 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-19 08:39:27 UTC
Thank you! Please stabilize when ready.
Comment 3 Hans de Graaff gentoo-dev Security 2021-03-31 14:40:26 UTC
Any reason that this stabilization is blocked?
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 14:11:04 UTC
amd64 done

all arches done
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 17:01:37 UTC
Please clenaup.
Comment 6 Larry the Git Cow gentoo-dev 2021-04-02 19:42:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bf7b30eb245c703414f3013c1fad8e3035faef8

commit 7bf7b30eb245c703414f3013c1fad8e3035faef8
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-04-02 19:41:44 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-04-02 19:42:09 +0000

    app-admin/consul: Remove old and vulnerable versions
    
    Bug: https://bugs.gentoo.org/760696
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest            |  24 --
 app-admin/consul/consul-1.7.4.ebuild | 514 ----------------------
 app-admin/consul/consul-1.8.7.ebuild | 796 -----------------------------------
 app-admin/consul/consul-1.9.1.ebuild | 775 ----------------------------------
 4 files changed, 2109 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 22:31:13 UTC
Thanks!
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:25:01 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:33:33 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:41:26 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:49:35 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 18:05:29 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 18:13:47 UTC
Package list is empty or all packages have requested keywords.
Comment 14 Larry the Git Cow gentoo-dev 2022-08-10 04:18:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f7375fcfd657cfc3887863e562d7feab296947e9

commit f7375fcfd657cfc3887863e562d7feab296947e9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 04:07:00 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 04:17:29 +0000

    [ GLSA 202208-09 ] HashiCorp Consul: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/760696
    Bug: https://bugs.gentoo.org/783483
    Bug: https://bugs.gentoo.org/802522
    Bug: https://bugs.gentoo.org/812497
    Bug: https://bugs.gentoo.org/834006
    Bug: https://bugs.gentoo.org/838328
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-09.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 04:28:46 UTC
GLSA released, all done!