[ANN] Nomad v1.3.1, 1.2.8, and 1.1.14 Released

28 views

Skip to first unread message

Luiz Aoqui

unread,

May 20, 2022, 5:40:13 PM5/20/22

to hashicorp...@googlegroups.com

CVE-2022-30324 - Nomad Impacted by go-getter Vulnerabilities

A vulnerability was identified in the go-getter library Nomad and Nomad Enterprise (“Nomad”) uses for its artifacts such that a specially crafted Nomad jobspec can be used for privilege escalation onto client agent hosts. This vulnerability affects versions 0.2.0 through 1.3.0, and is fixed in the 1.1.14, 1.2.8, and 1.3.1 releases.

Remediation

Users should upgrade to Nomad v1.3.1 or v1.2.8 or v1.1.14. Upgrading servers and clients is suggested.

Nomad v1.3.1

artifact: fix numerous go-getter security issues [GH-13057]
agent: fix panic when logging about protocol version config use [GH-12962]

Nomad 1.2.8, 1.1.14

artifact: fix numerous go-getter security issues [GH-13057]

Links

1.3.1 Binaries - https://releases.hashicorp.com/nomad/1.3.1/

1.3.1 Changelog - https://github.com/hashicorp/nomad/blob/v1.3.1/CHANGELOG.md

1.2.8 Binaries - https://releases.hashicorp.com/nomad/1.2.8/

1.2.8 Changelog - https://github.com/hashicorp/nomad/blob/v1.2.8/CHANGELOG.md

1.1.14 Binaries - https://releases.hashicorp.com/nomad/1.1.14/

1.1.14 Changelog - https://github.com/hashicorp/nomad/blob/v1.1.14/CHANGELOG.md

The Nomad Team

Reply all

Reply to author

Forward

0 new messages