FS#57608 : [minio] Possibility of a timing attack against authenticated requests on a Minio server

FS#57608 - [minio] Possibility of a timing attack against authenticated requests on a Minio server

Attached to Project: Community Packages
Opened by none given (hoban) - Thursday, 22 February 2018, 16:28 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Thursday, 22 February 2018, 17:48 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Sven-Hendrik Haase (Svenstaro) Levente Polyak (anthraxx)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 none given (hoban) (2018-02-22)
Private	No

Details

Description:
https://blog.minio.io/minio-release-jan-2nd-2018-security-advisory-ef0342a4ddba

Additional info:
* All versions of Minio prior to RELEASE.2018–01–02T23–07–00Z are affected
* When successful, the attack can be used to change the configuration of a server, and thereby steal or corrupt data.

Steps to reproduce:
N/A ("At the time of writing, this exploit is theoretical and has not been observed in the wild.")

This task depends upon

Closed by Sven-Hendrik Haase (Svenstaro)
Thursday, 22 February 2018, 17:48 GMT
Reason for closing: Fixed

Comment by none given (hoban) - Thursday, 22 February 2018, 17:04 GMT

$ diff -u PKGBUILD PKGBUILD.orig
--- PKGBUILD 2018-02-22 10:00:32.255209982 -0700
+++ PKGBUILD.orig 2018-02-22 10:03:12.366326511 -0700
@@ -3,9 +3,9 @@
# Contributor: Daniel Maslowski <info@orangecms.org>

pkgname=minio
-pkgver=2018.02.09
-_pkgver="${pkgver//./-}T22-40-05Z"
-pkgrel=0
+pkgver=2017.11.22
+_pkgver="${pkgver//./-}T19-55-46Z"
+pkgrel=3
pkgdesc='Object storage server compatible with Amazon S3'
arch=('x86_64')
url='https://minio.io'
@@ -18,7 +18,7 @@
minio.service
minio.sysusers)
backup=('etc/minio/minio.conf')
-sha512sums=('12efe6e43be6db63fa84966310662371c4eb8082be1b146dc554d9858251ae1beadea42513863a0358b96c6e021cab808fb6e6b3b2b721aae137f5d860c55b44'
+sha512sums=('d40a205b631d5d1b29b90fc4afff4af07072a7ea27069d9f55a6c54f6a5418328dd44d8f5be2882ac7fdb1f969936de70cd51859d0f5c218c1223a98738e5e2b'
'630a5d109409074b67be71b663a43ad09104121cca3637bb0542df19e375023bff7d7e2cbf39e52cc3cd060d41c363a90bd4ff7734aed1a5ca43a600f6d6d275'
'1c6ea217ea8aac93c9d1e05ad0b6c2108fe3d6367fa6a55acc480b8667996bbb59743e2f7e354c5257fc68bffc18cc44a48c4a82eee293abddcdc7962e63e50b'
'0832f0927da94c1c552dcd1a0a98a56b4447c0fc5f0e6d3b498f720ae7512fcfd5261b158775817f8c75ea43c052434ebadceb385d722aaea58a12fdb2a401ed')

Comment by Doug Newgard (Scimmia) - Thursday, 22 February 2018, 17:22 GMT

Not only is that patch backwards, the pkgrel should not be "0" in Arch; this appears to be a routine update that doesn't need a patch, anyway.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#57608 - [minio] Possibility of a timing attack against authenticated requests on a Minio server

Details

Loading...