[SECURITY] [DLA 2501-1] influxdb security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2501-1] influxdb security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sun, 20 Dec 2020 08:28:39 +0000 (UTC)
Message-id: <[🔎] alpine.DEB.2.21.2012200826560.3928@postfach.intern.alteholz.me>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2501-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
December 20, 2020                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : influxdb
Version        : 1.1.1+dfsg1-4+deb9u1
CVE ID         : CVE-2019-20933

An issue has been found in influxdb, a scalable datastore for metrics,events, and real-time analytics.By using a JWT token with an empty shared secret, one is able to bypassauthentication in services/httpd/handler.go.



For Debian 9 stretch, this problem has been fixed in version
1.1.1+dfsg1-4+deb9u1.

We recommend that you upgrade your influxdb packages.

For the detailed security status of influxdb please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/influxdb

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl/fCzdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEd5MRAAgcYaZ/z5QtMJhfY2KO3xaRzqwpl13xmmdKN8ryFGQraqDbEccggWaDih
f7kXJrbC9uaNGq5IbOJdCaIF1pEioO6JHmL9HKgKnkjhggjNfXLyjDfM+yEMg6H0
r/Oxvhv5Zvi2a+bkDtPKFHAddYCilo+Bo6rWvw0YIHiAiRfrWma23QDsPvZOyeRp
yxX1LbgTT+UsS2pMt5e+Ipo8GJd511eGxrNb3J4mXQH6PD6ipbtTrTNkqkm5UlIx
sXegm99CSHFSx3B/HnwBr0Ym78ELRAkhjZBkcr5PBQgsmzrurHFEegGQAiRsWkIO
Q1ZsPjU3JUeJYxvmot0d8w/XEScW+Gbno2Ph28sBb9pjkvh9NWVbkq4Xub/FPAVg
Mh+46Y6aXZCd0G/BPpyZOPPZil2RGJXDrzQu7wZ0BgtkXbprRMAOThDoTIWd+p6O
ZGGS1zf6sn0EVJQZyAIVBwGnTCqCjFXqa1rJsziknju3D02nzZY9zPiIQ7XTmRlW
O37ucr+vcLEV43yICihkMhiHvcyyktEvtaccDlA/l6fss+JqN24b0yqB9NjI+92n
1SICVek4XCzC6DLHSR6+AX+V5iSCC+i9enWwPJ0Fs6le+yHwCFSwMsHUjp7PlcB3
rg4MIy5YcCMRi4SC1FpnniIIK9IIHJygk+MgWDiIvnYBfI5yQYw=
=oymj
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2500-1] curl security update
Next by Date: [SECURITY] [DLA 2502-1] postsrsd security update
Previous by thread: [SECURITY] [DLA 2500-1] curl security update
Next by thread: [SECURITY] [DLA 2502-1] postsrsd security update
Index(es):
- Date
- Thread