CVE-2022-3866 (https://discuss.hashicorp.com/t/hcsec-2022-25-nomad-s-workload-identity-token-can-list-non-sensitive-metadata-for-nomad-paths/46167): HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2. CVE-2022-3867 (https://discuss.hashicorp.com/t/hcsec-2022-26-nomad-s-event-stream-subscriber-using-acl-token-with-ttl-receive-updates-until-garbage-collected/46168): HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2. Please bump to 1.4.2.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=427a7e41116651ab440672115ae6402d3711d36a commit 427a7e41116651ab440672115ae6402d3711d36a Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-12-27 03:01:42 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-12-27 03:03:53 +0000 sys-cluster/nomad: drop 1.2.13, 1.4.1 Bug: https://bugs.gentoo.org/881269 Signed-off-by: John Helmert III <ajak@gentoo.org> sys-cluster/nomad/Manifest | 4 ---- sys-cluster/nomad/nomad-1.2.13.ebuild | 44 ----------------------------------- sys-cluster/nomad/nomad-1.4.1.ebuild | 44 ----------------------------------- 3 files changed, 92 deletions(-)
