Upstream has issued an advisory on February 7: https://advisories.nats.io/CVE/CVE-2022-24450.txt The issue is fixed upstream in 2.7.2. Mageia 8 is also affected.
Severity: normal => criticalStatus comment: (none) => Fixed upstream in 2.7.2Whiteboard: (none) => MGA8TOO
Assigning to the package maintainer Pascal.
Assignee: bugsquad => pterjan
Update to 2.7.2 in Cauldron (which required a git snapshot of golang-github-nats-io-jwt and importing golang-github-minio-highwayhash). I'll look at the fix for 8 but it will take some time. The large commit to backport is https://github.com/nats-io/nats-server/commit/664e8b92b6906832a78feb07f0f144b8f1ad19f9 and while it will be easy to do the same on older code, almost none of it applies so it will need to be done manually. And sadly I can't still the work from Fedora https://bugzilla.redhat.com/show_bug.cgi?id=2056579 as they didn't update it yet :)
That took less than 20 minutes! Upload in progress: nats-server-2.1.9-1.1.mga8.src.rpm compat-golang-github-nats-io-gnatsd-devel-2.1.9-1.1.mga8.noarch.rpm compat-golang-github-nats-io-server-2-devel-2.1.9-1.1.mga8.noarch.rpm golang-github-nats-io-server-devel-2.1.9-1.1.mga8.noarch.rpm nats-server-2.1.9-1.1.mga8.x86_64.rpm
Version: Cauldron => 8Assignee: pterjan => qa-bugsCC: (none) => pterjanStatus comment: Fixed upstream in 2.7.2 => (none)Whiteboard: MGA8TOO => (none)
I know nothing about this, but decided not to let that stop me... No previous updates, so I sought information on the Web. A search for "nats" netted me several references to the Washington Nationals baseball team, a website with gardening advice about getting rid of gnats, and a video introduction to NATS on Youtube. I watched some of the video, but at around five minutes into it got hopelessly lost, so no help there. Installed nats-server, staying away from the developer stuff, and updated with qarepo. No installation issues. Looked at the file list, and saw a systemd service and a command, so I went with that: # systemctl status nats-server ● nats-server.service - NATS Server Loaded: loaded (/usr/lib/systemd/system/nats-server.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl start nats-server # systemctl status nats-server ● nats-server.service - NATS Server Loaded: loaded (/usr/lib/systemd/system/nats-server.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2022-06-10 21:07:54 EDT; 25s ago Main PID: 74660 (nats-server) Tasks: 8 (limit: 9446) Memory: 3.7M CPU: 37ms CGroup: /system.slice/nats-server.service └─74660 /usr/sbin/nats-server -c /etc/nats-server.conf Jun 10 21:07:54 localhost.localdomain systemd[1]: Started NATS Server. Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.457707 [INF] Starting nats-server ve> Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.457809 [INF] Git commit [not set] Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.458154 [INF] Starting http monitor o> Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.458313 [INF] Listening for client co> Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.458321 [INF] Server id is NB5PURYBEU> Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.458325 [INF] Server is ready Jun 10 21:07:54 localhost.localdomain nats-server[74660]: [74660] 2022/06/10 21:07:54.458844 [INF] Listening for route con> So far, so good. Tried a harmless command: $ nats-server -h Usage: nats-server [options] Server Options: -a, --addr <host> Bind to host address (default: 0.0.0.0) -p, --port <port> Use port for clients (default: 4222) -P, --pid <file> File to store PID -m, --http_port <port> Use port for http monitoring -ms,--https_port <port> Use port for https monitoring -c, --config <file> Configuration file -sl,--signal <signal>[=<pid>] Send signal to nats-server process (stop, quit, reopen, reload) <pid> can be either a PID (e.g. 1) or the path to a PID file (e.g. /var/run/nats-server.pid) --client_advertise <string> Client URL to advertise to other servers -t Test configuration and exit Logging Options: -l, --log <file> File to redirect log output -T, --logtime Timestamp log entries (default: true) -s, --syslog Log to syslog or windows event log -r, --remote_syslog <addr> Syslog server addr (udp://localhost:514) -D, --debug Enable debugging output -V, --trace Trace the raw protocol -VV Verbose trace (traces system account as well) -DV Debug and trace -DVV Debug and verbose trace (traces system account as well) Authorization Options: --user <user> User required for connections --pass <password> Password required for connections --auth <token> Authorization token required for connections TLS Options: --tls Enable TLS, do not verify clients (default: false) --tlscert <file> Server certificate file --tlskey <file> Private key for server certificate --tlsverify Enable TLS, verify client certificates --tlscacert <file> Client certificate CA for verification Cluster Options: --routes <rurl-1, rurl-2> Routes to solicit and connect --cluster <cluster-url> Cluster URL for solicited routes --no_advertise <bool> Advertise known cluster IPs to clients --cluster_advertise <string> Cluster URL to advertise to other servers --connect_retries <number> For implicit routes, number of connect retries Common Options: -h, --help Show this message -v, --version Show version --help_tls TLS help Lots of options there, plenty of places to get into trouble, so I went with the one option that I understood: $ nats-server -v nats-server: v2.1.9 I'm calling that good enough.
Whiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0225.html
Status: NEW => RESOLVEDResolution: (none) => FIXED