CVE-2021-38553 (https://discuss.hashicorp.com/t/hcsec-2021-20-vault-s-integrated-storage-backend-database-file-may-have-excessively-broad-permissions/28168): HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0. CVE-2021-38554 (https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166): HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
CVE-2021-37219: This PR adds authorization to Raft RPC requests by verifying the client TLS cert has an appropriate Subject.DNSName, and that the certificate is signed by the Agent TLS CA (not the Connect CA). Fixed in 1.8.15, 1.9.9, 1.10.2, please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17b1b7907ca91bbddbab06fd688737be5180ed9f commit 17b1b7907ca91bbddbab06fd688737be5180ed9f Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-09-11 04:59:20 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-09-11 04:59:34 +0000 app-admin/vault: Remove vul versions wrt bug #808093 Bug: https://bugs.gentoo.org/808093 Package-Manager: Portage-3.0.22, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 28 - app-admin/vault/vault-1.5.9.ebuild | 73 -- app-admin/vault/vault-1.6.5.ebuild | 73 -- app-admin/vault/vault-1.7.3.ebuild | 73 -- app-admin/vault/vault-1.8.1.ebuild | 1804 ------------------------------------ 5 files changed, 2051 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e1208df5d84cfd3be57e0f5dd85958ef39b794a commit 6e1208df5d84cfd3be57e0f5dd85958ef39b794a Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-09-11 04:50:51 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-09-11 04:55:48 +0000 app-admin/vault: Bump to version 1.8.2 Bug: https://bugs.gentoo.org/808093 Package-Manager: Portage-3.0.22, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 43 + app-admin/vault/vault-1.8.2.ebuild | 1825 ++++++++++++++++++++++++++++++++++++ 2 files changed, 1868 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1391df753e8d0791f02eb3930065eced4b2b926f commit 1391df753e8d0791f02eb3930065eced4b2b926f Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-09-11 04:04:43 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-09-11 04:05:46 +0000 app-admin/vault: Bump to version 1.7.4 Bug: https://bugs.gentoo.org/808093 Package-Manager: Portage-3.0.22, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 2 ++ app-admin/vault/vault-1.7.4.ebuild | 73 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39dfcc81825ef9acc97efb7de5a78eb9f6b1a8e2 commit 39dfcc81825ef9acc97efb7de5a78eb9f6b1a8e2 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-09-11 03:35:34 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-09-11 03:37:50 +0000 app-admin/vault: Bump to version 1.6.6 Bug: https://bugs.gentoo.org/808093 Package-Manager: Portage-3.0.22, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/Manifest | 2 ++ app-admin/vault/vault-1.6.6.ebuild | 73 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=097078b20fdff07ff5f155acfc1917e2b37b2566 commit 097078b20fdff07ff5f155acfc1917e2b37b2566 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2021-09-10 21:57:30 -0700 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2021-09-10 21:57:45 -0700 app-admin/vault: amd64 stable version 1.6.6 wrt bug #808093 https://bugs.gentoo.org/808093 Package-Manager: Portage-3.0.22, Repoman-3.0.3 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-admin/vault/vault-1.6.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Thanks!
Unable to check for sanity: > no match for package: app-admin/vault-1.6.6
Unable to check for sanity: > no match for package: app-admin/vault-1.8.2
Unable to check for sanity: > no match for package: app-admin/vault-1.8.4
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=254c716d0dd35a6846f281fd4a3eaf970dc0bede commit 254c716d0dd35a6846f281fd4a3eaf970dc0bede Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-07-29 21:22:59 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-01 18:05:08 +0000 [ GLSA-202207-01 ] HashiCorp Vault: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/768312 Bug: https://bugs.gentoo.org/797244 Bug: https://bugs.gentoo.org/808093 Bug: https://bugs.gentoo.org/817269 Bug: https://bugs.gentoo.org/827945 Bug: https://bugs.gentoo.org/829493 Bug: https://bugs.gentoo.org/835070 Bug: https://bugs.gentoo.org/845405 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202207-01.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
GLSA released, all done!
