Source: consul Version: 1.5.2+dfsg2-14 Severity: grave Tags: security upstream
Hi, The following vulnerabilities were published for consul, both issues appear to be fixed in 1.6.3 according to the upstream information, cf. [2] and [3]. CVE-2020-7219[0]: | HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services | allowed unbounded resource usage, and were susceptible to | unauthenticated denial of service. Fixed in 1.6.3. CVE-2020-7955[1]: | HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not | uniformly enforce ACLs across all API endpoints, resulting in | potential unintended information disclosure. Fixed in 1.6.3. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7219 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7219 [1] https://security-tracker.debian.org/tracker/CVE-2020-7955 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7955 [2] https://github.com/hashicorp/consul/issues/7159 [3] https://github.com/hashicorp/consul/issues/7160 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
