CVE-2022-26945: HashiCorp go-getter before 2.0.2 allows Command Injection. CVE-2022-30321: HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 1 of 3). CVE-2022-30322: HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 2 of 3). CVE-2022-30323: HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 3 of 3). Fixes in 1.6.1 and 2.1.0 according to URL.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa26e16b7363bec0c99a1cd145db4d1e474c883b commit aa26e16b7363bec0c99a1cd145db4d1e474c883b Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-06-22 19:30:29 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-06-22 19:31:59 +0000 app-admin/terraform: stabilize 1.2.2 for amd64 Bug: https://bugs.gentoo.org/847988 Signed-off-by: William Hubbs <williamh@gentoo.org> app-admin/terraform/terraform-1.2.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03e7a1c9d769adc424f2004394ee9cef010bdfea commit 03e7a1c9d769adc424f2004394ee9cef010bdfea Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-06-22 19:41:23 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-06-22 19:42:16 +0000 app-admin/terraform: drop vulnerable versions Bug: https://bugs.gentoo.org/847988 Closes: https://bugs.gentoo.org/844283 Signed-off-by: William Hubbs <williamh@gentoo.org> app-admin/terraform/Manifest | 1474 -------------------------- app-admin/terraform/terraform-0.14.10.ebuild | 961 ----------------- app-admin/terraform/terraform-0.14.11.ebuild | 34 - app-admin/terraform/terraform-0.15.5.ebuild | 1075 ------------------- app-admin/terraform/terraform-1.0.1.ebuild | 1075 ------------------- app-admin/terraform/terraform-1.0.10.ebuild | 1091 ------------------- app-admin/terraform/terraform-1.0.3.ebuild | 1089 ------------------- app-admin/terraform/terraform-1.0.4.ebuild | 1089 ------------------- app-admin/terraform/terraform-1.0.5.ebuild | 1085 ------------------- app-admin/terraform/terraform-1.0.6.ebuild | 1091 ------------------- app-admin/terraform/terraform-1.0.7.ebuild | 1091 ------------------- app-admin/terraform/terraform-1.0.8.ebuild | 1091 ------------------- app-admin/terraform/terraform-1.0.9.ebuild | 1091 ------------------- app-admin/terraform/terraform-1.1.2.ebuild | 1217 --------------------- app-admin/terraform/terraform-1.1.5.ebuild | 1217 --------------------- app-admin/terraform/terraform-1.1.7.ebuild | 32 - 16 files changed, 15803 deletions(-)
Thanks! It doesn't seem terraform is actually vulnerable here (hashicorp never put out an advisory for it), but we're fixed now anyway.