[Git][security-tracker-team/security-tracker][master] Add notes for nomad CVEs CVE-2022-24684 CVE-2022-24685 CVE-2021-43415

Neil Williams (@codehelp) codehelp at debian.org
Tue Apr 26 12:20:15 BST 2022 


Neil Williams pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8f68bed7 by Neil Williams at 2022-04-26T12:19:46+01:00
Add notes for nomad CVEs CVE-2022-24684 CVE-2022-24685 CVE-2021-43415

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -14103,11 +14103,14 @@ CVE-2022-24686 (HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.1
 	- nomad <unfixed>
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559
 CVE-2022-24685 (HashiCorp Nomad and Nomad Enterprise 1.x before 1.0.17, 1.1.x before 1 ...)
-	- nomad <undetermined>
+	- nomad <unfixed>
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/35561
+	NOTE: https://github.com/hashicorp/nomad/issues/12038
 CVE-2022-24684 (HashiCorp Nomad and Nomad Enterprise before 1.0.17, 1.1.x before 1.1.1 ...)
-	- nomad <undetermined>
+	- nomad <unfixed>
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers/35562
+	NOTE: https://github.com/hashicorp/nomad/issues/12039
+	NOTE: https://github.com/hashicorp/nomad/commit/c49359ad58f0af18a5697a0b7b9b6cca9656d267 (v1.2.6)
 CVE-2022-24683 (HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and ...)
 	- nomad <unfixed>
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560
@@ -32729,9 +32732,11 @@ CVE-2021-43417
 CVE-2021-43416
 	RESERVED
 CVE-2021-43415 (HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, w ...)
-	- nomad <undetermined>
+	- nomad <unfixed>
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288
-	TODO: check
+	NOTE: https://github.com/hashicorp/nomad/issues/11542
+	NOTE: https://github.com/hashicorp/nomad/pull/11554
+	NOTE: https://github.com/hashicorp/nomad/commit/40de248b940eb7babbd4a08ebe9d6874758f5285 (v1.2.1)
 CVE-2021-43414 (An issue was discovered in GNU Hurd before 0.9 20210404-9. The use of  ...)
 	- hurd 1:0.9.git20210404-9
 CVE-2021-43413 (An issue was discovered in GNU Hurd before 0.9 20210404-9. A single pa ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f68bed7f741d2ddf81d7b112042c4daffa05174

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f68bed7f741d2ddf81d7b112042c4daffa05174
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220426/6d0322e2/attachment.htm>

More information about the debian-security-tracker-commits mailing list