CVE-2021-37218: HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.0.10 and 1.1.4. Please bump.
From the 1.2.1 changelog (https://github.com/hashicorp/nomad/releases/tag/v1.2.1): "Allow limiting QEMU arguments to reduce access to host resources. CVE-2021-43415 [GH-11542]"
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c21bc0f0950d9fbacfcd7c008176e927c726ce7e commit c21bc0f0950d9fbacfcd7c008176e927c726ce7e Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-02-15 17:36:40 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-02-15 17:39:50 +0000 sys-cluster/nomad: 1.2.6 bump Bug: https://bugs.gentoo.org/812494 Bug: https://bugs.gentoo.org/833157 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: William Hubbs <williamh@gentoo.org> sys-cluster/nomad/Manifest | 2 ++ sys-cluster/nomad/files/nomad.service | 29 +++++++++++++++++++++ sys-cluster/nomad/nomad-1.2.6.ebuild | 49 +++++++++++++++++++++++++++++++++++ 3 files changed, 80 insertions(+)
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=010bb3a5ba073cc25e34ec9c001154e38aa7f789 commit 010bb3a5ba073cc25e34ec9c001154e38aa7f789 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-02-20 18:51:24 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-02-20 18:52:48 +0000 sys-cluster/nomad: remove vulnerable versions Bug: https://bugs.gentoo.org/812494 Bug: https://bugs.gentoo.org/833157 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: William Hubbs <williamh@gentoo.org> sys-cluster/nomad/Manifest | 1 - sys-cluster/nomad/metadata.xml | 1 - sys-cluster/nomad/nomad-1.0.9.ebuild | 45 ------------------------------------ 3 files changed, 47 deletions(-)
Thanks, all done!
