Bug#990581: nomad: CVE-2021-32575
Dear Peter, On Tuesday, 6 July 2021 6:54:14 AM AEST Peter Pentchev wrote: > First of all, thanks for your work on nomad and Debian in general! Thank you for your kind words and for your help. > Dmitry, what do you think about my attempt to backport the upstream > patch for CVE-2021-32575 to the Debian package of nomad? > The upstream patch is at: > > https://github.com/hashicorp/nomad/commit/003d68fe6df652b172bc68beabd11a25 > fd7e1b58 > > My proposed update to the Debian package is in my forked Salsa repo: > > https://salsa.debian.org/roam/nomad/-/commits/roam-CVE-2021-32575/ > > git clone -b roam-CVE-2021-32575 https://salsa.debian.org/roam/nomad.git Unfortunately I can not have a look right now... > If you have no objections, I could push these commits to the team repo, > upload to unstable, and send an unblock request to the release team. Go for it. It would be great if you could do all this, if you think it is worth the effort. Thank you. Frankly, at this point I think we can allow Nomad to be dropped from "testing". Without Podman support, Nomad is not as useful as I expected... -- Regards, Dmitry Smirnov GPG key : 4096R/52B6BBD953968D1B --- Lies are the social equivalent of toxic waste: Everyone is potentially harmed by their spread. -- Sam Harris --- All-cause mortality during COVID-19: No plague and a likely signature of mass homicide by government response. D. G. Rancourt, June 2020. -- https://deb.li/37mn4 https://www.researchgate.net/publication/341832637_All-cause_mortality_during_COVID-19_No_plague_and_a_likely_signature_of_mass_homicide_by_government_response signature.asc Description: This is a digitally signed message part.
Bug#990581: nomad: CVE-2021-32575
Hi, First of all, thanks for your work on nomad and Debian in general! Dmitry, what do you think about my attempt to backport the upstream patch for CVE-2021-32575 to the Debian package of nomad? The upstream patch is at: https://github.com/hashicorp/nomad/commit/003d68fe6df652b172bc68beabd11a25fd7e1b58 My proposed update to the Debian package is in my forked Salsa repo: https://salsa.debian.org/roam/nomad/-/commits/roam-CVE-2021-32575/ git clone -b roam-CVE-2021-32575 https://salsa.debian.org/roam/nomad.git If you have no objections, I could push these commits to the team repo, upload to unstable, and send an unblock request to the release team. Thanks again, and keep up the great work! G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 signature.asc Description: PGP signature
Bug#990581: nomad: CVE-2021-32575
Source: nomad X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for nomad. CVE-2021-32575[0]: | HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge | networking mode allows ARP spoofing from other bridged tasks on the | same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1. https://discuss.hashicorp.com/t/hcsec-2021-14-nomad-bridge-networking-mode-allows-arp-spoofing-from-other-bridged-tasks-on-same-node/24296 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32575 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32575 Please adjust the affected versions in the BTS as needed.