Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 802522 (CVE-2021-32574, CVE-2021-36213) - <app-admin/consul-{1.8.14,1.9.8}: multiple vulnerabilities (CVE-2021-{32574,36213})
Summary: <app-admin/consul-{1.8.14,1.9.8}: multiple vulnerabilities (CVE-2021-{32574,3...
Status: RESOLVED FIXED
Alias: CVE-2021-32574, CVE-2021-36213
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa+]
Keywords:
Depends on:
Blocks: CVE-2020-25864, CVE-2021-28156
  Show dependency tree
 
Reported: 2021-07-17 00:46 UTC by John Helmert III
Modified: 2022-08-10 04:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-17 00:46:24 UTC
1.8.14 changelog (https://github.com/hashicorp/consul/releases/tag/v1.8.14) has:

    xds: ensure envoy verifies the subject alternative name for upstreams CVE-2021-32574 [GH-10621]

1.9.8 (https://github.com/hashicorp/consul/releases/tag/v1.9.8) and 1.10.1 (https://github.com/hashicorp/consul/releases/tag/v1.10.1) also include:

    xds: ensure single L7 deny intention with default deny policy does not result in allow action CVE-2021-36213 [GH-10619]


Please bump.

Alos, is 1.7.x unaffected or is it now unsupported?
Comment 2 Larry the Git Cow gentoo-dev 2021-07-17 04:39:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01fe78974a8b063728f48015885caa9eea4a9c24

commit 01fe78974a8b063728f48015885caa9eea4a9c24
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-07-17 04:36:20 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-07-17 04:39:10 +0000

    app-admin/consul: Bump to version 1.9.8
    
    Bug: https://bugs.gentoo.org/802522
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest            |   4 +
 app-admin/consul/consul-1.9.8.ebuild | 781 +++++++++++++++++++++++++++++++++++
 2 files changed, 785 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad2710df823a1333cb8b70e2157cd90abe13da6d

commit ad2710df823a1333cb8b70e2157cd90abe13da6d
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-07-17 04:24:57 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-07-17 04:39:10 +0000

    app-admin/consul: Bump to version 1.8.14
    
    Bug: https://bugs.gentoo.org/802522
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |   8 +
 app-admin/consul/consul-1.8.14.ebuild | 767 ++++++++++++++++++++++++++++++++++
 2 files changed, 775 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2021-07-17 04:44:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34f3981f6e9fc4e2c339cc0f19a74527050bd3d5

commit 34f3981f6e9fc4e2c339cc0f19a74527050bd3d5
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-07-17 04:41:03 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-07-17 04:44:12 +0000

    app-admin/consul: Remove vulnerable versions except 1.7.11
    
    Keep 1.7.11 since it has a stable keyword.
    
    Bug: https://bugs.gentoo.org/802522
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             |  24 -
 app-admin/consul/consul-1.7.14.ebuild | 586 -------------------------
 app-admin/consul/consul-1.8.12.ebuild | 801 ----------------------------------
 app-admin/consul/consul-1.9.6.ebuild  | 773 --------------------------------
 4 files changed, 2184 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-17 04:47:13 UTC
Thank you! Please stabilize a fixed version
Comment 5 Larry the Git Cow gentoo-dev 2021-07-17 16:31:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51d8b2030e2b909683ff8b529f7cefc043a97e9b

commit 51d8b2030e2b909683ff8b529f7cefc043a97e9b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-07-17 16:30:33 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-07-17 16:31:15 +0000

    app-admin/consul: Drop vulnerable version 1.7.11
    
    Bug: https://bugs.gentoo.org/802522
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/Manifest             | 126 --------
 app-admin/consul/consul-1.7.11.ebuild | 581 ----------------------------------
 2 files changed, 707 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ec1ff5fe6382f6647310c215323964b456e287c

commit 4ec1ff5fe6382f6647310c215323964b456e287c
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-07-17 16:29:17 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-07-17 16:29:26 +0000

    app-admin/consul: Stabilize 1.8.14 for amd64
    
    Bug: https://bugs.gentoo.org/802522
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/consul/consul-1.8.14.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-17 16:40:10 UTC
Thank you!
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:20:58 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:29:06 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:37:02 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:45:05 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:53:08 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 18:01:04 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 18:09:21 UTC
Package list is empty or all packages have requested keywords.
Comment 14 Larry the Git Cow gentoo-dev 2022-08-10 04:18:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f7375fcfd657cfc3887863e562d7feab296947e9

commit f7375fcfd657cfc3887863e562d7feab296947e9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 04:07:00 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 04:17:29 +0000

    [ GLSA 202208-09 ] HashiCorp Consul: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/760696
    Bug: https://bugs.gentoo.org/783483
    Bug: https://bugs.gentoo.org/802522
    Bug: https://bugs.gentoo.org/812497
    Bug: https://bugs.gentoo.org/834006
    Bug: https://bugs.gentoo.org/838328
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-09.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 04:23:44 UTC
GLSA released, all done!