Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-1098 CVE-2018-1099

Source

Debian Bug report logs - #921156
etcd: CVE-2018-1098 CVE-2018-1099

Package: src:etcd; Maintainer for src:etcd is Debian Go Packaging Team <team+pkg-go@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 2 Feb 2019 12:51:06 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in version etcd/3.2.18+dfsg-1

Forwarded to https://github.com/coreos/etcd/issues/9353

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#921156; Package src:etcd. (Sat, 02 Feb 2019 12:51:09 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>. (Sat, 02 Feb 2019 12:51:09 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: etcd
Version: 3.2.18+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/coreos/etcd/issues/9353

Hi,

The following vulnerabilities were published for etcd. Not sure
exactly on the severity but prefer to be rather safe than sorry
afterwards.

CVE-2018-1098[0]:
| A cross-site request forgery flaw was found in etcd 3.3.1 and earlier.
| An attacker can set up a website that tries to send a POST request to
| the etcd server and modify a key. Adding a key is done with PUT so it
| is theoretically safe (can't PUT from an HTML form or such) but POST
| allows creating in-order keys that an attacker can send.

CVE-2018-1099[1]:
| DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An
| attacker can control his DNS records to direct to localhost, and trick
| the browser into sending requests to localhost (or any other address).

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1098
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1098
[1] https://security-tracker.debian.org/tracker/CVE-2018-1099
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1099
[2] https://github.com/coreos/etcd/issues/9353

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 07 Feb 2019 17:30:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#921156; Package src:etcd. (Tue, 12 Feb 2019 02:36:02 GMT) (full text, mbox, link).

Acknowledgement sent to Arnaud Rebillout <arnaud.rebillout@collabora.com>:
Extra info received and forwarded to list. Copy sent to Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>. (Tue, 12 Feb 2019 02:36:02 GMT) (full text, mbox, link).

Message #12 received at 921156@bugs.debian.org (full text, mbox, reply):

I looked into this a bit yesterday.

As mentioned in the issue upstream at
https://github.com/etcd-io/etcd/issues/9353, the fix has been merged in
the master branch of etcd in March 2018, almost a year ago. The
conversation also mentions that this will be part of the next release
v3.4. However v3.4 has not been released yet.

And I don't think we want to package a random commit from the master
branch of etcd. So if we want to solve this bug simply by updating the
package, we'll have to wait for v3.4 to be released.

The other alternative is to cherry-pick the patch.

If I'm not mistaken, the fix can be found in this MR:
https://github.com/etcd-io/etcd/pull/9372/files. It's not a trivial
patch. It's unlikely that we can apply it without modification on the
etcd currently packaged in debian.

I personally can't do that, as I know nothing about etcd anyway. I don't
know if someone feels up to the task, or have a better idea about how to
solve that.

Cheers,

  Arnaud

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#921156; Package src:etcd. (Wed, 20 Feb 2019 05:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to Stephen Gelman <ssgelm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>. (Wed, 20 Feb 2019 05:27:02 GMT) (full text, mbox, link).

Message #17 received at 921156@bugs.debian.org (full text, mbox, reply):

On Tue, 12 Feb 2019 09:32:48 +0700 Arnaud Rebillout
<arnaud.rebillout@collabora.com> wrote:
> I looked into this a bit yesterday.
>
> As mentioned in the issue upstream at
> https://github.com/etcd-io/etcd/issues/9353, the fix has been merged in
> the master branch of etcd in March 2018, almost a year ago. The
> conversation also mentions that this will be part of the next release
> v3.4. However v3.4 has not been released yet.
>
> And I don't think we want to package a random commit from the master
> branch of etcd. So if we want to solve this bug simply by updating the
> package, we'll have to wait for v3.4 to be released.
>
> The other alternative is to cherry-pick the patch.
>
> If I'm not mistaken, the fix can be found in this MR:
> https://github.com/etcd-io/etcd/pull/9372/files. It's not a trivial
> patch. It's unlikely that we can apply it without modification on the
> etcd currently packaged in debian.
>
> I personally can't do that, as I know nothing about etcd anyway. I don't
> know if someone feels up to the task, or have a better idea about how to
> solve that.
>
> Cheers,
>
>   Arnaud

Since upstream still hasn't released a version that fixes the CVE is
this still considered a RC bug?  Obviously it's better to fix it asap
but if upstream doesn't consider it critical I'm not sure this should
be RC.

Stephen

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#921156; Package src:etcd. (Fri, 22 Feb 2019 22:30:05 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>. (Fri, 22 Feb 2019 22:30:05 GMT) (full text, mbox, link).

Message #22 received at 921156@bugs.debian.org (full text, mbox, reply):

severity 921156 important
thanks

On Tue, Feb 19, 2019 at 11:24:47PM -0600, Stephen Gelman wrote:
> On Tue, 12 Feb 2019 09:32:48 +0700 Arnaud Rebillout
> <arnaud.rebillout@collabora.com> wrote:
> > I looked into this a bit yesterday.
> >
> > As mentioned in the issue upstream at
> > https://github.com/etcd-io/etcd/issues/9353, the fix has been merged in
> > the master branch of etcd in March 2018, almost a year ago. The
> > conversation also mentions that this will be part of the next release
> > v3.4. However v3.4 has not been released yet.
> >
> > And I don't think we want to package a random commit from the master
> > branch of etcd. So if we want to solve this bug simply by updating the
> > package, we'll have to wait for v3.4 to be released.
> >
> > The other alternative is to cherry-pick the patch.
> >
> > If I'm not mistaken, the fix can be found in this MR:
> > https://github.com/etcd-io/etcd/pull/9372/files. It's not a trivial
> > patch. It's unlikely that we can apply it without modification on the
> > etcd currently packaged in debian.
> >
> > I personally can't do that, as I know nothing about etcd anyway. I don't
> > know if someone feels up to the task, or have a better idea about how to
> > solve that.
> >
> > Cheers,
> >
> >   Arnaud
> 
> Since upstream still hasn't released a version that fixes the CVE is
> this still considered a RC bug?  Obviously it's better to fix it asap
> but if upstream doesn't consider it critical I'm not sure this should
> be RC.

Let's downgrade and revisit when a fix has been backported to a 3.2.x
release.

Cheers,
        Moritz

Severity set to 'important' from 'grave' Request was from Moritz Mühlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Fri, 22 Feb 2019 22:30:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:27:59 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

etcd: CVE-2018-1098 CVE-2018-1099

Debian Bug report logs - #921156
etcd: CVE-2018-1098 CVE-2018-1099

Vulmon Search

About

Products

Connect

etcd: CVE-2018-1098 CVE-2018-1099

Debian Bug report logs - #921156 etcd: CVE-2018-1098 CVE-2018-1099

Vulmon Search

About

Products

Connect

Debian Bug report logs - #921156
etcd: CVE-2018-1098 CVE-2018-1099