Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 777783 (CVE-2021-21390) - <net-fs/minio-2021. allows MITM modification of request bodies (CVE-2021-21390)
Summary: <net-fs/minio-2021. allows MITM modification of request bodies...
Alias: CVE-2021-21390
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2021-03-22 21:54 UTC by John Helmert III
Modified: 2021-04-06 21:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-22 21:54:12 UTC

MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-17T02-33-02Z, there is a vulnerability which enables MITM modification of request bodies that are meant to have integrity guaranteed by chunk signatures. In a PUT request using aws-chunked encoding, MinIO ordinarily verifies signatures at the end of a chunk. This check can be skipped if the client sends a false chunk size that is much greater than the actual data sent: the server accepts and completes the request without ever reaching the end of the chunk + thereby without ever checking the chunk signature. This is fixed in version RELEASE.2021-03-17T02-33-02Z. As a workaround one can avoid using "aws-chunked" encoding-based chunk signature upload requests instead use TLS. MinIO SDKs automatically disable chunked encoding signature when the server endpoint is configured with TLS.

Please cleanup.
Comment 1 Larry the Git Cow gentoo-dev 2021-04-06 21:48:36 UTC
The bug has been referenced in the following commit(s):

commit bff564ea0bfb75d10deae852dc334e26f553ecd8
Author:     John Helmert III <>
AuthorDate: 2021-04-06 21:47:02 +0000
Commit:     John Helmert III <>
CommitDate: 2021-04-06 21:48:28 +0000

    net-fs/minio: drop 2021., 2021. (security)
    Signed-off-by: John Helmert III <>

 net-fs/minio/Manifest                         |  10 -
 net-fs/minio/minio-2021. | 939 --------------------------
 net-fs/minio/minio-2021. | 937 -------------------------
 3 files changed, 1886 deletions(-)