Apache has issued an advisory today (April 26): https://www.openwall.com/lists/oss-security/2022/04/26/1 The issue is fixed upstream in 3.2.2. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 3.2.2Whiteboard: (none) => MGA8TOO
Assigning to NicolasS as you did a similar CVE update previously.
Assignee: bugsquad => nicolas.salguero
Note the suggested packaging change linked from this message: https://www.openwall.com/lists/oss-security/2022/05/09/2
Hi, For Cauldron, couchdb-3.2.2-1.mga9 should solve the issue. Best regards, Nico.
Status comment: Fixed upstream in 3.2.2 => (none)Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Status comment: (none) => Fixed upstream in 3.2.2
CC: (none) => nicolas.salgueroAssignee: nicolas.salguero => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations. (CVE-2022-24706) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24706 https://www.openwall.com/lists/oss-security/2022/04/26/1 ======================== Updated package in core/updates_testing: ======================== couchdb-3.2.2-1.mga8 from SRPM: couchdb-3.2.2-1.mga8.src.rpm
Source RPM: couchdb-3.1.2-2.mga9.src.rpm => couchdb-3.1.2-1.mga8.src.rpmAssignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2022-24706Status comment: Fixed upstream in 3.2.2 => (none)Status: NEW => ASSIGNED
Completely out of my depth here, but forging ahead anyway: Tested in a VirtualBox Plasma guest. I installed couchdb, which drew in several erlang dependencies. I know less than nothing about erlang, but continuing with the update... No installation issues. Early Mageia updates to couchdb contained a link to be used for a test procedure, but as of Bug 29548 that link was no longer valid. I attempted the same test Herman attempted in Bug 29548, with the same resulting failure to start the service. Eventually, the update was approved on the basis of a clean install over the old version. I am perfectly willing to OK it again for the same reason, but would feel more comfortable if someone who knows something would look at it.
CC: (none) => andrewsfarm
Since there has been no response, and this is a critical security update, it has waited far too long. OKing on a clean install, and validating. Advisory in comment 4.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0466.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED