akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

fix(crowdsec): resolve LAPI "access forbidden" authentication failures

Browse Source 
Replace name-based bouncer validation with actual LAPI authentication
testing. The previous implementation checked if a bouncer NAME existed
but never validated if the API KEY was accepted by CrowdSec LAPI.

Key changes:
- Add testKeyAgainstLAPI() with real HTTP authentication against
  /v1/decisions/stream endpoint
- Implement exponential backoff retry (500ms → 5s cap) for transient
  connection errors while failing fast on 403 authentication failures
- Add mutex protection to prevent concurrent registration race conditions
- Use atomic file writes (temp → rename) for key persistence
- Mask API keys in all log output (CWE-312 compliance)

Breaking behavior: Invalid env var keys now auto-recover by registering
a new bouncer instead of failing silently with stale credentials.

Includes temporary acceptance of 7 Debian HIGH CVEs with documented
mitigation plan (Alpine migration in progress - issue #631).
This commit is contained in:
GitHub Actions
2026-02-04 02:51:52 +00:00
parent daef23118a
commit 0eb0660d41
13 changed files with 5623 additions and 2807 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/security/VULNERABILITY_ACCEPTANCE.md
+59 -2
View File
@@ -1,6 +1,63 @@
# Vulnerability Acceptance Document - PR #461
# Vulnerability Acceptance Document
This document provides formal acceptance and risk assessment for vulnerabilities identified in PR #461 (DNS Challenge Support).
This document provides formal acceptance and risk assessment for vulnerabilities identified across Charon releases.
---
## Current Accepted Vulnerabilities (February 2026)
### Debian Trixie Base Image CVEs (Temporary Acceptance)
**Date Accepted**: 2026-02-04
**Reviewed By**: Security Team, QA Team, DevOps Team
**Status**: ACCEPTED (Temporary - Alpine migration in progress)
**Next Review**: 2026-03-05 (or upon Alpine migration completion)
**Target Resolution**: 2026-03-05
#### Overview
7 HIGH severity CVEs identified in Debian Trixie base image packages (glibc, libtasn1, libtiff) with no fixes available from Debian upstream.
**Decision**: Temporary acceptance pending Alpine Linux migration (already planned).
**Rationale**:
- CrowdSec LAPI authentication fix is CRITICAL for production users
- CVEs are in Debian base packages, NOT application code
- CVEs exist in `main` branch (blocking fix provides zero security improvement)
- Alpine migration already on roadmap (moved to high priority)
- Risk level assessed as LOW (no exploit path identified)
**Mitigation Plan**: Full Alpine migration (see `docs/plans/alpine_migration_spec.md`)
**Expected Timeline**:
- Week 1 (Feb 5-8): Verify Alpine CVE-2025-60876 is patched
- Weeks 2-3 (Feb 11-22): Dockerfile migration + testing
- Week 4 (Feb 26-28): Staging validation
- Week 5 (Mar 3-5): Production rollout
**Expected Outcome**: 100% CVE reduction (7 HIGH → 0)
**Detailed Security Advisory**: [`advisory_2026-02-04_debian_cves_temporary.md`](./advisory_2026-02-04_debian_cves_temporary.md)
**Affected CVEs**:
| CVE | CVSS | Package | Status |
|-----|------|---------|--------|
| CVE-2026-0861 | 8.4 | libc6 | No fix available → Alpine migration |
| CVE-2025-13151 | 7.5 | libtasn1-6 | No fix available → Alpine migration |
| CVE-2025-15281 | 7.5 | libc6 | No fix available → Alpine migration |
| CVE-2026-0915 | 7.5 | libc6 | No fix available → Alpine migration |
**Approval Record**:
- **Security Team**: APPROVED (temporary acceptance with mitigation) ✅
- **QA Team**: APPROVED (conditions met) ✅
- **DevOps Team**: APPROVED (Alpine migration feasible) ✅
- **Sign-Off Date**: 2026-02-04
---
## Historical Accepted Vulnerabilities
### PR #461 - Alpine Base Image CVEs (January 2026)
**PR**: [#461 - DNS Challenge Support](https://github.com/Wikid82/Charon/pull/461)
**Date Accepted**: 2026-01-13