Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4507
influxdb security update
21 December 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: influxdb
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Increased Privileges -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-20933
Reference: ESB-2020.4310
Original Bulletin:
https://www.debian.org/lts/security/2020/dla-2501
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2501-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
December 20, 2020 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : influxdb
Version : 1.1.1+dfsg1-4+deb9u1
CVE ID : CVE-2019-20933
An issue has been found in influxdb, a scalable datastore for metrics,
events, and real-time analytics.
By using a JWT token with an empty shared secret, one is able to bypass
authentication in services/httpd/handler.go.
For Debian 9 stretch, this problem has been fixed in version
1.1.1+dfsg1-4+deb9u1.
We recommend that you upgrade your influxdb packages.
For the detailed security status of influxdb please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/influxdb
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl/fCzdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEd5MRAAgcYaZ/z5QtMJhfY2KO3xaRzqwpl13xmmdKN8ryFGQraqDbEccggWaDih
f7kXJrbC9uaNGq5IbOJdCaIF1pEioO6JHmL9HKgKnkjhggjNfXLyjDfM+yEMg6H0
r/Oxvhv5Zvi2a+bkDtPKFHAddYCilo+Bo6rWvw0YIHiAiRfrWma23QDsPvZOyeRp
yxX1LbgTT+UsS2pMt5e+Ipo8GJd511eGxrNb3J4mXQH6PD6ipbtTrTNkqkm5UlIx
sXegm99CSHFSx3B/HnwBr0Ym78ELRAkhjZBkcr5PBQgsmzrurHFEegGQAiRsWkIO
Q1ZsPjU3JUeJYxvmot0d8w/XEScW+Gbno2Ph28sBb9pjkvh9NWVbkq4Xub/FPAVg
Mh+46Y6aXZCd0G/BPpyZOPPZil2RGJXDrzQu7wZ0BgtkXbprRMAOThDoTIWd+p6O
ZGGS1zf6sn0EVJQZyAIVBwGnTCqCjFXqa1rJsziknju3D02nzZY9zPiIQ7XTmRlW
O37ucr+vcLEV43yICihkMhiHvcyyktEvtaccDlA/l6fss+JqN24b0yqB9NjI+92n
1SICVek4XCzC6DLHSR6+AX+V5iSCC+i9enWwPJ0Fs6le+yHwCFSwMsHUjp7PlcB3
rg4MIy5YcCMRi4SC1FpnniIIK9IIHJygk+MgWDiIvnYBfI5yQYw=
=oymj
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX9/lU+NLKJtyKPYoAQhNSg/+Ll0iW8I1WMQbadKmdl1PI5J92mxbj39W
Qdk+qoO+naVsq15oXIOaZfbMqzereyXT7GHVC4IRQBaWgSoypRNBzJ+90u4mT0+7
AwaQX3i4OsF/JVOuW3hg0w9/+IdXy3KTqZD137leNklNJwFwqBve2ostIyTQ75iy
sibmZxiOZNEpnEUg2QbUUwRNWl3Jp5dFmP/pAyg/Mb931vL9HJejxNGWaY4nEgeE
HiJQztkHn0Aqf9l7N/n6yiiwrotunZXvD3wO5LcAWxdttLTZqA4Sr7NdnxsSTiTb
FVEzsO5wOnLMst++jiD68wvz8tGCfvpwm3OrYnLarccX/qZyoUZlGxfOeJFNeZsO
meoQxebMvF3cpQYDAVvDPe2BuhPHBJIp+Pq56D4OjKGgd2CNZj4q+oU8uQINbthO
fDhVzbM/wU+STaZTJyJvNDX3TjgraVN8XZxFieV0Hr5Un+HZX+IKbp3b1t5fCCrB
QBBD4muwtfICcq7v6N5d2YN+V3nK5sfV2KKbQc1+Jon6TiJi/LVyn/reJlVF1/JK
faDOgR01tn6yBxx/k3V9YdeolRrt/lklBCrHeoR3l8ecAKw/sWB+G9hCz/yJXvIz
AGzkH/mMCsa4uWpFsOWEH6edvSerBUr7dRsCs3aepBFxWmvOjyC9eHyYwCBeWUSs
NvXFLCBxncs=
=XyV+
-----END PGP SIGNATURE-----