[pkg-go] Bug#950736: consul: CVE-2020-7219 CVE-2020-7955
Salvatore Bonaccorso
carnil at debian.org
Wed Feb 5 13:46:12 GMT 2020
Source: consul
Version: 1.5.2+dfsg2-14
Severity: grave
Tags: security upstream
Hi,
The following vulnerabilities were published for consul, both issues
appear to be fixed in 1.6.3 according to the upstream information, cf.
[2] and [3].
CVE-2020-7219[0]:
| HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services
| allowed unbounded resource usage, and were susceptible to
| unauthenticated denial of service. Fixed in 1.6.3.
CVE-2020-7955[1]:
| HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not
| uniformly enforce ACLs across all API endpoints, resulting in
| potential unintended information disclosure. Fixed in 1.6.3.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-7219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7219
[1] https://security-tracker.debian.org/tracker/CVE-2020-7955
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7955
[2] https://github.com/hashicorp/consul/issues/7159
[3] https://github.com/hashicorp/consul/issues/7160
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-go-maintainers
mailing list