31190 – erlang new security issue CVE-2022-37026

Bug 31190 - erlang new security issue CVE-2022-37026

Summary: erlang new security issue CVE-2022-37026

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-11-25 17:17 CET by David Walser
Modified:	2022-12-07 00:34 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	erlang-23.2.1-3.1.mga8.src.rpm
CVE:	CVE-2022-37026
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-11-25 17:17:03 CET

SUSE has issued an advisory on November 24:
https://lists.suse.com/pipermail/sle-security-updates/2022-November/013107.html

The issue is fixed upstream in 24.3.4.15.

Mageia 8 is also affected.

David Walser 2022-11-25 17:17:24 CET

Status comment: (none) => Fixed upstream in 24.3.4.15
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-11-25 17:18:35 CET

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FKGB2TBMVRY5L4FUEC3LM2R2WTCDC2Y7/

Comment 2 Lewis Smith 2022-11-25 21:33:55 CET

NicolasS, assigning this to you as you committed the current version and more besides for erlang. It does not look complicated.

Assignee: bugsquad => nicolas.salguero

Comment 3 Nicolas Salguero 2022-11-28 10:17:34 CET

Hi,

In fact, only Mageia 8 is affected because for erlang 23.x, that CVE is fixed in 23.3.4.17 but for erlang 24.x, it is fixed in 24.3.4.3 and Cauldron has 24.3.4.5.  Anyway I found that 24.3.4.6 was released so I update Cauldron too.

Best regards,

Nico.

CVE: (none) => CVE-2022-37026
Version: Cauldron => 8
Source RPM: erlang-24.3.4.5-2.mga9.src.rpm => erlang-23.2.1-3.1.mga8.src.rpm
Status comment: Fixed upstream in 24.3.4.15 => Fixed upstream in 23.3.4.17
Whiteboard: MGA8TOO => (none)

Comment 4 Nicolas Salguero 2022-11-28 11:24:46 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS. (CVE-2022-37026)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37026
https://lists.suse.com/pipermail/sle-security-updates/2022-November/013107.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FKGB2TBMVRY5L4FUEC3LM2R2WTCDC2Y7/
========================

Updated packages in core/updates_testing:
========================
erlang-megaco-23.2.1-3.2.mga8
erlang-erts-23.2.1-3.2.mga8
erlang-wx-23.2.1-3.2.mga8
erlang-hipe-23.2.1-3.2.mga8
erlang-stdlib-23.2.1-3.2.mga8
erlang-snmp-23.2.1-3.2.mga8
erlang-erl_interface-23.2.1-3.2.mga8
erlang-compiler-23.2.1-3.2.mga8
erlang-kernel-23.2.1-3.2.mga8
erlang-examples-23.2.1-3.2.mga8
erlang-xmerl-23.2.1-3.2.mga8
erlang-ssl-23.2.1-3.2.mga8
erlang-common_test-23.2.1-3.2.mga8
erlang-observer-23.2.1-3.2.mga8
erlang-public_key-23.2.1-3.2.mga8
erlang-tools-23.2.1-3.2.mga8
erlang-ssh-23.2.1-3.2.mga8
erlang-diameter-23.2.1-3.2.mga8
erlang-asn1-23.2.1-3.2.mga8
erlang-mnesia-23.2.1-3.2.mga8
erlang-dialyzer-23.2.1-3.2.mga8
erlang-inets-23.2.1-3.2.mga8
erlang-debugger-23.2.1-3.2.mga8
erlang-erl_docgen-23.2.1-3.2.mga8
erlang-syntax_tools-23.2.1-3.2.mga8
erlang-reltool-23.2.1-3.2.mga8
erlang-sasl-23.2.1-3.2.mga8
erlang-edoc-23.2.1-3.2.mga8
erlang-runtime_tools-23.2.1-3.2.mga8
erlang-crypto-23.2.1-3.2.mga8
erlang-parsetools-23.2.1-3.2.mga8
erlang-eunit-23.2.1-3.2.mga8
erlang-ftp-23.2.1-3.2.mga8
erlang-et-23.2.1-3.2.mga8
erlang-eldap-23.2.1-3.2.mga8
erlang-jinterface-23.2.1-3.2.mga8
erlang-os_mon-23.2.1-3.2.mga8
erlang-tftp-23.2.1-3.2.mga8
erlang-odbc-23.2.1-3.2.mga8
erlang-23.2.1-3.2.mga8

from SRPM:
erlang-23.2.1-3.2.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 23.3.4.17 => (none)

Comment 5 Thomas Andrews 2022-11-29 18:04:29 CET

Out of my depth here once again, but trying to follow the example from Bug 22145.

Tested in a VirtualBox Plasma guest. This guest had been used in a previous attempt to test couchdb, and installing that had also pulled in several erlang packages.

Used qarepo to download the above packages, and updated the ones already installed, with no issues. Referenced https://www.tutorialspoint.com/erlang/erlang_basic_syntax.htm for a basic example:

Created a file named helloworld.erl:

% hello world program
-module(helloworld).
-import(io,[fwrite/1]).
-export([start/0]).

start() ->
   fwrite("Hello, world!\n").

Compiled it and ran it:

[tom@localhost ~]$ erlc helloworld.erl 2>&1
[tom@localhost ~]$ erl -noshell -s helloworld start -s init stop
Hello, world!

This is the same result as in Bug 22145, and the expected result according to the above link.

That basic function test was enough for an OK in the previous bug, so I'm calling it OK for this one, too.

Validating. Advisory in comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-12-04 00:02:44 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-12-07 00:34:28 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0450.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.