Debian Bug report logs -
#921156
etcd: CVE-2018-1098 CVE-2018-1099
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
:
Bug#921156
; Package src:etcd
.
(Sat, 02 Feb 2019 12:51:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
.
(Sat, 02 Feb 2019 12:51:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: etcd
Version: 3.2.18+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/coreos/etcd/issues/9353
Hi,
The following vulnerabilities were published for etcd. Not sure
exactly on the severity but prefer to be rather safe than sorry
afterwards.
CVE-2018-1098[0]:
| A cross-site request forgery flaw was found in etcd 3.3.1 and earlier.
| An attacker can set up a website that tries to send a POST request to
| the etcd server and modify a key. Adding a key is done with PUT so it
| is theoretically safe (can't PUT from an HTML form or such) but POST
| allows creating in-order keys that an attacker can send.
CVE-2018-1099[1]:
| DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An
| attacker can control his DNS records to direct to localhost, and trick
| the browser into sending requests to localhost (or any other address).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1098
[1] https://security-tracker.debian.org/tracker/CVE-2018-1099
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1099
[2] https://github.com/coreos/etcd/issues/9353
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Thu, 07 Feb 2019 17:30:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
:
Bug#921156
; Package src:etcd
.
(Tue, 12 Feb 2019 02:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Arnaud Rebillout <arnaud.rebillout@collabora.com>
:
Extra info received and forwarded to list. Copy sent to Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
.
(Tue, 12 Feb 2019 02:36:02 GMT) (full text, mbox, link).
Message #12 received at 921156@bugs.debian.org (full text, mbox, reply):
I looked into this a bit yesterday.
As mentioned in the issue upstream at
https://github.com/etcd-io/etcd/issues/9353, the fix has been merged in
the master branch of etcd in March 2018, almost a year ago. The
conversation also mentions that this will be part of the next release
v3.4. However v3.4 has not been released yet.
And I don't think we want to package a random commit from the master
branch of etcd. So if we want to solve this bug simply by updating the
package, we'll have to wait for v3.4 to be released.
The other alternative is to cherry-pick the patch.
If I'm not mistaken, the fix can be found in this MR:
https://github.com/etcd-io/etcd/pull/9372/files. It's not a trivial
patch. It's unlikely that we can apply it without modification on the
etcd currently packaged in debian.
I personally can't do that, as I know nothing about etcd anyway. I don't
know if someone feels up to the task, or have a better idea about how to
solve that.
Cheers,
Arnaud
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
:
Bug#921156
; Package src:etcd
.
(Wed, 20 Feb 2019 05:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Stephen Gelman <ssgelm@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
.
(Wed, 20 Feb 2019 05:27:02 GMT) (full text, mbox, link).
Message #17 received at 921156@bugs.debian.org (full text, mbox, reply):
On Tue, 12 Feb 2019 09:32:48 +0700 Arnaud Rebillout
<arnaud.rebillout@collabora.com> wrote:
> I looked into this a bit yesterday.
>
> As mentioned in the issue upstream at
> https://github.com/etcd-io/etcd/issues/9353, the fix has been merged in
> the master branch of etcd in March 2018, almost a year ago. The
> conversation also mentions that this will be part of the next release
> v3.4. However v3.4 has not been released yet.
>
> And I don't think we want to package a random commit from the master
> branch of etcd. So if we want to solve this bug simply by updating the
> package, we'll have to wait for v3.4 to be released.
>
> The other alternative is to cherry-pick the patch.
>
> If I'm not mistaken, the fix can be found in this MR:
> https://github.com/etcd-io/etcd/pull/9372/files. It's not a trivial
> patch. It's unlikely that we can apply it without modification on the
> etcd currently packaged in debian.
>
> I personally can't do that, as I know nothing about etcd anyway. I don't
> know if someone feels up to the task, or have a better idea about how to
> solve that.
>
> Cheers,
>
> Arnaud
Since upstream still hasn't released a version that fixes the CVE is
this still considered a RC bug? Obviously it's better to fix it asap
but if upstream doesn't consider it critical I'm not sure this should
be RC.
Stephen
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
:
Bug#921156
; Package src:etcd
.
(Fri, 22 Feb 2019 22:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
.
(Fri, 22 Feb 2019 22:30:05 GMT) (full text, mbox, link).
Message #22 received at 921156@bugs.debian.org (full text, mbox, reply):
severity 921156 important
thanks
On Tue, Feb 19, 2019 at 11:24:47PM -0600, Stephen Gelman wrote:
> On Tue, 12 Feb 2019 09:32:48 +0700 Arnaud Rebillout
> <arnaud.rebillout@collabora.com> wrote:
> > I looked into this a bit yesterday.
> >
> > As mentioned in the issue upstream at
> > https://github.com/etcd-io/etcd/issues/9353, the fix has been merged in
> > the master branch of etcd in March 2018, almost a year ago. The
> > conversation also mentions that this will be part of the next release
> > v3.4. However v3.4 has not been released yet.
> >
> > And I don't think we want to package a random commit from the master
> > branch of etcd. So if we want to solve this bug simply by updating the
> > package, we'll have to wait for v3.4 to be released.
> >
> > The other alternative is to cherry-pick the patch.
> >
> > If I'm not mistaken, the fix can be found in this MR:
> > https://github.com/etcd-io/etcd/pull/9372/files. It's not a trivial
> > patch. It's unlikely that we can apply it without modification on the
> > etcd currently packaged in debian.
> >
> > I personally can't do that, as I know nothing about etcd anyway. I don't
> > know if someone feels up to the task, or have a better idea about how to
> > solve that.
> >
> > Cheers,
> >
> > Arnaud
>
> Since upstream still hasn't released a version that fixes the CVE is
> this still considered a RC bug? Obviously it's better to fix it asap
> but if upstream doesn't consider it critical I'm not sure this should
> be RC.
Let's downgrade and revisit when a fix has been backported to a 3.2.x
release.
Cheers,
Moritz
Severity set to 'important' from 'grave'
Request was from Moritz Mühlenhoff <jmm@inutil.org>
to control@bugs.debian.org
.
(Fri, 22 Feb 2019 22:30:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:27:59 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.