Source: etcd Version: 3.2.18+dfsg-1 Severity: grave Tags: security upstream Forwarded: https://github.com/coreos/etcd/issues/9353
Hi, The following vulnerabilities were published for etcd. Not sure exactly on the severity but prefer to be rather safe than sorry afterwards. CVE-2018-1098[0]: | A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. | An attacker can set up a website that tries to send a POST request to | the etcd server and modify a key. Adding a key is done with PUT so it | is theoretically safe (can't PUT from an HTML form or such) but POST | allows creating in-order keys that an attacker can send. CVE-2018-1099[1]: | DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An | attacker can control his DNS records to direct to localhost, and trick | the browser into sending requests to localhost (or any other address). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1098 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1098 [1] https://security-tracker.debian.org/tracker/CVE-2018-1099 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1099 [2] https://github.com/coreos/etcd/issues/9353 Regards, Salvatore
