CVE-2023-32082: etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease when `Keys` parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth (RBAC). Versions 3.4.26 and 3.5.9 fix this issue. There are no known workarounds. Please bump to 3.4.26.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ce12bb86f1bd6f082d51696327a14e7df5e728c7 commit ce12bb86f1bd6f082d51696327a14e7df5e728c7 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2023-05-19 21:08:08 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2023-05-19 21:08:40 +0000 dev-db/etcd: add 3.4.26 Bug: https://bugs.gentoo.org/906656 Signed-off-by: Zac Medico <zmedico@gentoo.org> dev-db/etcd/Manifest | 2 ++ dev-db/etcd/etcd-3.4.26.ebuild | 79 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+)
Thanks! Please stable when ready.
Please clean up the vulnerable version 3.4.16-r1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e796be5df2187467fe4e1bff71f6f085adf8f9b commit 8e796be5df2187467fe4e1bff71f6f085adf8f9b Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2023-10-20 00:49:13 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2023-10-20 00:49:23 +0000 dev-db/etcd: drop vulnerable 3.4.16-r1 Bug: https://bugs.gentoo.org/906656 Signed-off-by: Zac Medico <zmedico@gentoo.org> dev-db/etcd/Manifest | 2 - dev-db/etcd/etcd-3.4.16-r1.ebuild | 79 --------------------------------------- dev-db/etcd/files/etcd.confd | 7 ---- dev-db/etcd/files/etcd.initd | 36 ------------------ dev-db/etcd/files/etcd.service | 17 --------- 5 files changed, 141 deletions(-)
