Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 808093 (CVE-2021-37219, CVE-2021-38553, CVE-2021-38554) - <app-admin/vault-{1.6.6,1.7.4,1.8.2}: multiple vulnerabilities (CVE-2021-{38553,38554})
Summary: <app-admin/vault-{1.6.6,1.7.4,1.8.2}: multiple vulnerabilities (CVE-2021-{385...
Status: IN_PROGRESS
Alias: CVE-2021-37219, CVE-2021-38553, CVE-2021-38554
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-14 04:01 UTC by John Helmert III
Modified: 2021-10-10 05:44 UTC (History)
1 user (show)

See Also:
Package list:
app-admin/vault-1.8.4 amd64
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-08-14 04:01:32 UTC
CVE-2021-38553 (https://discuss.hashicorp.com/t/hcsec-2021-20-vault-s-integrated-storage-backend-database-file-may-have-excessively-broad-permissions/28168):

HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0.

CVE-2021-38554 (https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166):

HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
Comment 1 John Helmert III gentoo-dev Security 2021-08-28 15:14:08 UTC
CVE-2021-37219:

This PR adds authorization to Raft RPC requests by verifying the client TLS cert has an appropriate Subject.DNSName, and that the certificate is signed by the Agent TLS CA (not the Connect CA).


Fixed in 1.8.15, 1.9.9, 1.10.2, please bump.
Comment 2 Larry the Git Cow gentoo-dev 2021-09-11 05:03:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17b1b7907ca91bbddbab06fd688737be5180ed9f

commit 17b1b7907ca91bbddbab06fd688737be5180ed9f
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-09-11 04:59:20 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-09-11 04:59:34 +0000

    app-admin/vault: Remove vul versions wrt bug #808093
    
    Bug: https://bugs.gentoo.org/808093
    Package-Manager: Portage-3.0.22, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |   28 -
 app-admin/vault/vault-1.5.9.ebuild |   73 --
 app-admin/vault/vault-1.6.5.ebuild |   73 --
 app-admin/vault/vault-1.7.3.ebuild |   73 --
 app-admin/vault/vault-1.8.1.ebuild | 1804 ------------------------------------
 5 files changed, 2051 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e1208df5d84cfd3be57e0f5dd85958ef39b794a

commit 6e1208df5d84cfd3be57e0f5dd85958ef39b794a
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-09-11 04:50:51 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-09-11 04:55:48 +0000

    app-admin/vault: Bump to version 1.8.2
    
    Bug: https://bugs.gentoo.org/808093
    Package-Manager: Portage-3.0.22, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |   43 +
 app-admin/vault/vault-1.8.2.ebuild | 1825 ++++++++++++++++++++++++++++++++++++
 2 files changed, 1868 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1391df753e8d0791f02eb3930065eced4b2b926f

commit 1391df753e8d0791f02eb3930065eced4b2b926f
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-09-11 04:04:43 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-09-11 04:05:46 +0000

    app-admin/vault: Bump to version 1.7.4
    
    Bug: https://bugs.gentoo.org/808093
    Package-Manager: Portage-3.0.22, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 ++
 app-admin/vault/vault-1.7.4.ebuild | 73 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39dfcc81825ef9acc97efb7de5a78eb9f6b1a8e2

commit 39dfcc81825ef9acc97efb7de5a78eb9f6b1a8e2
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-09-11 03:35:34 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-09-11 03:37:50 +0000

    app-admin/vault: Bump to version 1.6.6
    
    Bug: https://bugs.gentoo.org/808093
    Package-Manager: Portage-3.0.22, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 ++
 app-admin/vault/vault-1.6.6.ebuild | 73 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+)
Comment 3 Zac Medico gentoo-dev 2021-09-11 05:07:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=097078b20fdff07ff5f155acfc1917e2b37b2566

commit 097078b20fdff07ff5f155acfc1917e2b37b2566
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-09-10 21:57:30 -0700
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-09-10 21:57:45 -0700

    app-admin/vault: amd64 stable version 1.6.6 wrt bug #808093
    
    https://bugs.gentoo.org/808093
    Package-Manager: Portage-3.0.22, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/vault-1.6.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 John Helmert III gentoo-dev Security 2021-09-11 16:27:14 UTC
Thanks!
Comment 5 NATTkA bot gentoo-dev 2021-09-24 02:56:31 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-10-10 05:28:33 UTC
Unable to check for sanity:

> no match for package: app-admin/vault-1.8.2