influxdb: CVE-2019-20933

Related Vulnerabilities: CVE-2019-20933  

Debian Bug report logs - #978087
influxdb: CVE-2019-20933

version graph

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 25 Dec 2020 20:30:01 UTC

Severity: grave

Tags: security, upstream

Found in versions influxdb/1.0.2+dfsg1-1, influxdb/1.6.4-1, influxdb/1.6.4-2

Fixed in versions influxdb/1.1.1+dfsg1-4+deb9u1, influxdb/1.6.7~rc0-1

Done: Shengjing Zhu <zhsj@debian.org>

Forwarded to https://github.com/influxdata/influxdb/issues/12927

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>:
Bug#978087; Package src:influxdb. (Fri, 25 Dec 2020 20:30:03 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>. (Fri, 25 Dec 2020 20:30:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: influxdb: CVE-2019-20933
Date: Fri, 25 Dec 2020 21:27:34 +0100
Source: influxdb
Version: 1.6.4-2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/influxdata/influxdb/issues/12927
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1.6.4-1
Control: found -1 1.0.2+dfsg1-1
Control: fixed -1 1.1.1+dfsg1-4+deb9u1

Hi,

The following vulnerability was published for influxdb.

CVE-2019-20933[0]:
| InfluxDB before 1.7.6 has an authentication bypass vulnerability in
| the authenticate function in services/httpd/handler.go because a JWT
| token may have an empty SharedSecret (aka shared secret).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-20933
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20933
[1] https://github.com/influxdata/influxdb/issues/12927
[2] https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0

Regards,
Salvatore



Marked as found in versions influxdb/1.6.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 25 Dec 2020 20:30:03 GMT) (full text, mbox, link).


Marked as found in versions influxdb/1.0.2+dfsg1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 25 Dec 2020 20:30:04 GMT) (full text, mbox, link).


Marked as fixed in versions influxdb/1.1.1+dfsg1-4+deb9u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 25 Dec 2020 20:30:04 GMT) (full text, mbox, link).


Reply sent to Shengjing Zhu <zhsj@debian.org>:
You have taken responsibility. (Sat, 26 Dec 2020 17:27:05 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 26 Dec 2020 17:27:05 GMT) (full text, mbox, link).


Message #16 received at 978087-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 978087-close@bugs.debian.org
Subject: Bug#978087: fixed in influxdb 1.6.7~rc0-1
Date: Sat, 26 Dec 2020 17:22:43 +0000
Source: influxdb
Source-Version: 1.6.7~rc0-1
Done: Shengjing Zhu <zhsj@debian.org>

We believe that the bug you reported is fixed in the latest version of
influxdb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 978087@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Shengjing Zhu <zhsj@debian.org> (supplier of updated influxdb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 27 Dec 2020 01:06:41 +0800
Source: influxdb
Architecture: source
Version: 1.6.7~rc0-1
Distribution: unstable
Urgency: high
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Shengjing Zhu <zhsj@debian.org>
Closes: 978087
Changes:
 influxdb (1.6.7~rc0-1) unstable; urgency=high
 .
   * Team upload.
   * New upstream version 1.6.7~rc0
     Fix CVE-2019-20933 Password bypass vulnerability (Closes: #978087)
     https://github.com/influxdata/influxdb/pull/13133
   * Update Homepage
   * Bump debhelper-compat to 13
   * Fix Vcs-Git and Vcs-Browser address
   * Update uscan watch file version
   * Remove broken lintian overrides
   * Fix skip-systemd-native-flag-missing-pre-depends
Checksums-Sha1:
 8d85a20b5efcc870fdbe51d1fbdb0acc3c3ea73a 2795 influxdb_1.6.7~rc0-1.dsc
 6b6edcaf3155c133c065e2c3346c404458ea5441 1515340 influxdb_1.6.7~rc0.orig.tar.gz
 5951123429e6d53bedc32f415d1eb8f7345d2dc6 16060 influxdb_1.6.7~rc0-1.debian.tar.xz
 84301ac05fe454cbfd6b0db0757e17585db2a278 11204 influxdb_1.6.7~rc0-1_amd64.buildinfo
Checksums-Sha256:
 5c01d62a1174a4d93dfc966c603bdb5f2192e02bcba1fc8db97f2415cb494d1d 2795 influxdb_1.6.7~rc0-1.dsc
 bae5ffedd41942d9d06a4a3394c45748c6fdb39c3acfbcbb1326f706bb5fa548 1515340 influxdb_1.6.7~rc0.orig.tar.gz
 2090498215bad067d7cd750a7af2c6455fe149d2e4e09b90712be755d2bc74f1 16060 influxdb_1.6.7~rc0-1.debian.tar.xz
 4d239019a56058e8d6e1a87f12af86c75255792a2c98fc989c9189b444e759b2 11204 influxdb_1.6.7~rc0-1_amd64.buildinfo
Files:
 e2c6ca44a2705449c5a07849520f7f6f 2795 database optional influxdb_1.6.7~rc0-1.dsc
 995b39f91cf18230a326bf2de55b1792 1515340 database optional influxdb_1.6.7~rc0.orig.tar.gz
 5a569ecc500002d3615bf4d969576c3a 16060 database optional influxdb_1.6.7~rc0-1.debian.tar.xz
 ab4d40cc3fe1eea81f60144f40a4da1e 11204 database optional influxdb_1.6.7~rc0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iIYEARYIAC4WIQTiXc95jUQrjt9HgU3EhUo4GOCwFgUCX+duVRAcemhzakBkZWJp
YW4ub3JnAAoJEMSFSjgY4LAWoPMA/2g7QPv923hQ0Fgj2nbGshNApIm1r3TNMnEn
7xZ+mocmAP9SJVBgHF6v1JBM2SX2wXLO7avzSd4NGXXDzqA6YJeHAA==
=p7+W
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jan 9 13:05:54 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.