Bug 30342

Summary: couchdb new security issue CVE-2022-24706
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: couchdb-3.1.2-1.mga8.src.rpm CVE: CVE-2022-24706
Status comment:

Description David Walser 2022-04-26 17:11:43 CEST 
Apache has issued an advisory today (April 26):
https://www.openwall.com/lists/oss-security/2022/04/26/1

The issue is fixed upstream in 3.2.2.

Mageia 8 is also affected.
David Walser 2022-04-26 17:11:52 CEST

Status comment: (none) => Fixed upstream in 3.2.2
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-04-26 20:35:53 CEST 
Assigning to NicolasS as you did a similar CVE update previously.

Assignee: bugsquad => nicolas.salguero

Comment 2 David Walser 2022-05-10 16:18:38 CEST 
Note the suggested packaging change linked from this message:
https://www.openwall.com/lists/oss-security/2022/05/09/2
Comment 3 Nicolas Salguero 2022-09-29 13:01:57 CEST 
Hi,

For Cauldron, couchdb-3.2.2-1.mga9 should solve the issue.

Best regards,

Nico.

Status comment: Fixed upstream in 3.2.2 => (none)
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Nicolas Salguero 2022-09-29 13:04:31 CEST

Status comment: (none) => Fixed upstream in 3.2.2

Nicolas Salguero 2022-09-29 13:05:00 CEST

CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => pkg-bugs

Comment 4 Nicolas Salguero 2022-11-28 10:50:53 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations. (CVE-2022-24706)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24706
https://www.openwall.com/lists/oss-security/2022/04/26/1
========================

Updated package in core/updates_testing:
========================
couchdb-3.2.2-1.mga8

from SRPM:
couchdb-3.2.2-1.mga8.src.rpm

Source RPM: couchdb-3.1.2-2.mga9.src.rpm => couchdb-3.1.2-1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2022-24706
Status comment: Fixed upstream in 3.2.2 => (none)
Status: NEW => ASSIGNED

Comment 5 Thomas Andrews 2022-11-29 17:40:24 CET 
Completely out of my depth here, but forging ahead anyway:

Tested in a VirtualBox Plasma guest. I installed couchdb, which drew in several erlang dependencies. I know less than nothing about erlang, but continuing with the update...

No installation issues. Early Mageia updates to couchdb contained a link to be used for a test procedure, but as of Bug 29548 that link was no longer valid. 

I attempted the same test Herman attempted in Bug 29548, with the same resulting failure to start the service. Eventually, the update was approved on the basis of a clean install over the old version.

I am perfectly willing to OK it again for the same reason, but would feel more comfortable if someone who knows something would look at it.

CC: (none) => andrewsfarm

Comment 6 Thomas Andrews 2022-12-13 15:34:07 CET 
Since there has been no response, and this is a critical security update, it has waited far too long. OKing on a clean install, and validating. Advisory in comment 4.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2022-12-17 17:51:16 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-12-17 19:49:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0466.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED