Bug 31190

Summary: erlang new security issue CVE-2022-37026
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: erlang-23.2.1-3.1.mga8.src.rpm CVE: CVE-2022-37026
Status comment:

Description David Walser 2022-11-25 17:17:03 CET 
SUSE has issued an advisory on November 24:
https://lists.suse.com/pipermail/sle-security-updates/2022-November/013107.html

The issue is fixed upstream in 24.3.4.15.

Mageia 8 is also affected.
David Walser 2022-11-25 17:17:24 CET

Status comment: (none) => Fixed upstream in 24.3.4.15
Whiteboard: (none) => MGA8TOO

Comment 2 Lewis Smith 2022-11-25 21:33:55 CET 
NicolasS, assigning this to you as you committed the current version and more besides for erlang. It does not look complicated.

Assignee: bugsquad => nicolas.salguero

Comment 3 Nicolas Salguero 2022-11-28 10:17:34 CET 
Hi,

In fact, only Mageia 8 is affected because for erlang 23.x, that CVE is fixed in 23.3.4.17 but for erlang 24.x, it is fixed in 24.3.4.3 and Cauldron has 24.3.4.5.  Anyway I found that 24.3.4.6 was released so I update Cauldron too.

Best regards,

Nico.

CVE: (none) => CVE-2022-37026
Version: Cauldron => 8
Source RPM: erlang-24.3.4.5-2.mga9.src.rpm => erlang-23.2.1-3.1.mga8.src.rpm
Status comment: Fixed upstream in 24.3.4.15 => Fixed upstream in 23.3.4.17
Whiteboard: MGA8TOO => (none)

Comment 4 Nicolas Salguero 2022-11-28 11:24:46 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS. (CVE-2022-37026)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37026
https://lists.suse.com/pipermail/sle-security-updates/2022-November/013107.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FKGB2TBMVRY5L4FUEC3LM2R2WTCDC2Y7/
========================

Updated packages in core/updates_testing:
========================
erlang-megaco-23.2.1-3.2.mga8
erlang-erts-23.2.1-3.2.mga8
erlang-wx-23.2.1-3.2.mga8
erlang-hipe-23.2.1-3.2.mga8
erlang-stdlib-23.2.1-3.2.mga8
erlang-snmp-23.2.1-3.2.mga8
erlang-erl_interface-23.2.1-3.2.mga8
erlang-compiler-23.2.1-3.2.mga8
erlang-kernel-23.2.1-3.2.mga8
erlang-examples-23.2.1-3.2.mga8
erlang-xmerl-23.2.1-3.2.mga8
erlang-ssl-23.2.1-3.2.mga8
erlang-common_test-23.2.1-3.2.mga8
erlang-observer-23.2.1-3.2.mga8
erlang-public_key-23.2.1-3.2.mga8
erlang-tools-23.2.1-3.2.mga8
erlang-ssh-23.2.1-3.2.mga8
erlang-diameter-23.2.1-3.2.mga8
erlang-asn1-23.2.1-3.2.mga8
erlang-mnesia-23.2.1-3.2.mga8
erlang-dialyzer-23.2.1-3.2.mga8
erlang-inets-23.2.1-3.2.mga8
erlang-debugger-23.2.1-3.2.mga8
erlang-erl_docgen-23.2.1-3.2.mga8
erlang-syntax_tools-23.2.1-3.2.mga8
erlang-reltool-23.2.1-3.2.mga8
erlang-sasl-23.2.1-3.2.mga8
erlang-edoc-23.2.1-3.2.mga8
erlang-runtime_tools-23.2.1-3.2.mga8
erlang-crypto-23.2.1-3.2.mga8
erlang-parsetools-23.2.1-3.2.mga8
erlang-eunit-23.2.1-3.2.mga8
erlang-ftp-23.2.1-3.2.mga8
erlang-et-23.2.1-3.2.mga8
erlang-eldap-23.2.1-3.2.mga8
erlang-jinterface-23.2.1-3.2.mga8
erlang-os_mon-23.2.1-3.2.mga8
erlang-tftp-23.2.1-3.2.mga8
erlang-odbc-23.2.1-3.2.mga8
erlang-23.2.1-3.2.mga8

from SRPM:
erlang-23.2.1-3.2.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 23.3.4.17 => (none)

Comment 5 Thomas Andrews 2022-11-29 18:04:29 CET 
Out of my depth here once again, but trying to follow the example from Bug 22145.

Tested in a VirtualBox Plasma guest. This guest had been used in a previous attempt to test couchdb, and installing that had also pulled in several erlang packages.

Used qarepo to download the above packages, and updated the ones already installed, with no issues. Referenced https://www.tutorialspoint.com/erlang/erlang_basic_syntax.htm for a basic example:

Created a file named helloworld.erl:

% hello world program
-module(helloworld).
-import(io,[fwrite/1]).
-export([start/0]).

start() ->
   fwrite("Hello, world!\n").

Compiled it and ran it:

[tom@localhost ~]$ erlc helloworld.erl 2>&1
[tom@localhost ~]$ erl -noshell -s helloworld start -s init stop
Hello, world!

This is the same result as in Bug 22145, and the expected result according to the above link.

That basic function test was enough for an OK in the previous bug, so I'm calling it OK for this one, too.

Validating. Advisory in comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-12-04 00:02:44 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-12-07 00:34:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0450.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED