[pkg-go] Bug#921156: etcd: CVE-2018-1098 CVE-2018-1099
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 2 12:50:39 GMT 2019
Source: etcd
Version: 3.2.18+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/coreos/etcd/issues/9353
Hi,
The following vulnerabilities were published for etcd. Not sure
exactly on the severity but prefer to be rather safe than sorry
afterwards.
CVE-2018-1098[0]:
| A cross-site request forgery flaw was found in etcd 3.3.1 and earlier.
| An attacker can set up a website that tries to send a POST request to
| the etcd server and modify a key. Adding a key is done with PUT so it
| is theoretically safe (can't PUT from an HTML form or such) but POST
| allows creating in-order keys that an attacker can send.
CVE-2018-1099[1]:
| DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An
| attacker can control his DNS records to direct to localhost, and trick
| the browser into sending requests to localhost (or any other address).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1098
[1] https://security-tracker.debian.org/tracker/CVE-2018-1099
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1099
[2] https://github.com/coreos/etcd/issues/9353
Regards,
Salvatore
More information about the Pkg-go-maintainers
mailing list