[pkg-go] Bug#921156: etcd: CVE-2018-1098 CVE-2018-1099

Salvatore Bonaccorso carnil at debian.org
Sat Feb 2 12:50:39 GMT 2019

Source: etcd
Version: 3.2.18+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/coreos/etcd/issues/9353


The following vulnerabilities were published for etcd. Not sure
exactly on the severity but prefer to be rather safe than sorry

| A cross-site request forgery flaw was found in etcd 3.3.1 and earlier.
| An attacker can set up a website that tries to send a POST request to
| the etcd server and modify a key. Adding a key is done with PUT so it
| is theoretically safe (can't PUT from an HTML form or such) but POST
| allows creating in-order keys that an attacker can send.

| DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An
| attacker can control his DNS records to direct to localhost, and trick
| the browser into sending requests to localhost (or any other address).

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1098
[1] https://security-tracker.debian.org/tracker/CVE-2018-1099
[2] https://github.com/coreos/etcd/issues/9353


More information about the Pkg-go-maintainers mailing list