SUSE has issued an advisory on November 24: https://lists.suse.com/pipermail/sle-security-updates/2022-November/013107.html The issue is fixed upstream in 24.3.4.15. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 24.3.4.15Whiteboard: (none) => MGA8TOO
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FKGB2TBMVRY5L4FUEC3LM2R2WTCDC2Y7/
NicolasS, assigning this to you as you committed the current version and more besides for erlang. It does not look complicated.
Assignee: bugsquad => nicolas.salguero
Hi, In fact, only Mageia 8 is affected because for erlang 23.x, that CVE is fixed in 23.3.4.17 but for erlang 24.x, it is fixed in 24.3.4.3 and Cauldron has 24.3.4.5. Anyway I found that 24.3.4.6 was released so I update Cauldron too. Best regards, Nico.
CVE: (none) => CVE-2022-37026Version: Cauldron => 8Source RPM: erlang-24.3.4.5-2.mga9.src.rpm => erlang-23.2.1-3.1.mga8.src.rpmStatus comment: Fixed upstream in 24.3.4.15 => Fixed upstream in 23.3.4.17Whiteboard: MGA8TOO => (none)
Suggested advisory: ======================== The updated packages fix a security vulnerability: In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS. (CVE-2022-37026) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37026 https://lists.suse.com/pipermail/sle-security-updates/2022-November/013107.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FKGB2TBMVRY5L4FUEC3LM2R2WTCDC2Y7/ ======================== Updated packages in core/updates_testing: ======================== erlang-megaco-23.2.1-3.2.mga8 erlang-erts-23.2.1-3.2.mga8 erlang-wx-23.2.1-3.2.mga8 erlang-hipe-23.2.1-3.2.mga8 erlang-stdlib-23.2.1-3.2.mga8 erlang-snmp-23.2.1-3.2.mga8 erlang-erl_interface-23.2.1-3.2.mga8 erlang-compiler-23.2.1-3.2.mga8 erlang-kernel-23.2.1-3.2.mga8 erlang-examples-23.2.1-3.2.mga8 erlang-xmerl-23.2.1-3.2.mga8 erlang-ssl-23.2.1-3.2.mga8 erlang-common_test-23.2.1-3.2.mga8 erlang-observer-23.2.1-3.2.mga8 erlang-public_key-23.2.1-3.2.mga8 erlang-tools-23.2.1-3.2.mga8 erlang-ssh-23.2.1-3.2.mga8 erlang-diameter-23.2.1-3.2.mga8 erlang-asn1-23.2.1-3.2.mga8 erlang-mnesia-23.2.1-3.2.mga8 erlang-dialyzer-23.2.1-3.2.mga8 erlang-inets-23.2.1-3.2.mga8 erlang-debugger-23.2.1-3.2.mga8 erlang-erl_docgen-23.2.1-3.2.mga8 erlang-syntax_tools-23.2.1-3.2.mga8 erlang-reltool-23.2.1-3.2.mga8 erlang-sasl-23.2.1-3.2.mga8 erlang-edoc-23.2.1-3.2.mga8 erlang-runtime_tools-23.2.1-3.2.mga8 erlang-crypto-23.2.1-3.2.mga8 erlang-parsetools-23.2.1-3.2.mga8 erlang-eunit-23.2.1-3.2.mga8 erlang-ftp-23.2.1-3.2.mga8 erlang-et-23.2.1-3.2.mga8 erlang-eldap-23.2.1-3.2.mga8 erlang-jinterface-23.2.1-3.2.mga8 erlang-os_mon-23.2.1-3.2.mga8 erlang-tftp-23.2.1-3.2.mga8 erlang-odbc-23.2.1-3.2.mga8 erlang-23.2.1-3.2.mga8 from SRPM: erlang-23.2.1-3.2.mga8.src.rpm
Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 23.3.4.17 => (none)
Out of my depth here once again, but trying to follow the example from Bug 22145. Tested in a VirtualBox Plasma guest. This guest had been used in a previous attempt to test couchdb, and installing that had also pulled in several erlang packages. Used qarepo to download the above packages, and updated the ones already installed, with no issues. Referenced https://www.tutorialspoint.com/erlang/erlang_basic_syntax.htm for a basic example: Created a file named helloworld.erl: % hello world program -module(helloworld). -import(io,[fwrite/1]). -export([start/0]). start() -> fwrite("Hello, world!\n"). Compiled it and ran it: [tom@localhost ~]$ erlc helloworld.erl 2>&1 [tom@localhost ~]$ erl -noshell -s helloworld start -s init stop Hello, world! This is the same result as in Bug 22145, and the expected result according to the above link. That basic function test was enough for an OK in the previous bug, so I'm calling it OK for this one, too. Validating. Advisory in comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0450.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED