oss-sec mailing list archives
Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging
From: Archange <archange () activis me>
Date: Mon, 9 May 2022 12:54:56 +0400
Hi, Le 26/04/2022 à 12:44, Jan Lehnardt a écrit :
[…] In addition, all binary packages have been updated to bind `epmd` as well as the CouchDB distribution port to `127.0.0.1` and/or `::1` respectively. Credit: The Apache CouchDB Team would like to thank Alex Vandiver <alexmv () zulip com> for the report of this issue. References: https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
Regarding epmd, how is this achieved in the binary packages? Because on Arch at least, setting `ERL_EPMD_ADDRESS=127.0.0.1` as stated in https://github.com/apache/couchdb/issues/999#issuecomment-345068280 is still required. Should Arch make that a default in the systemd service file? For now this has just been a recommandation for single node security since 2017 (https://wiki.archlinux.org/title/CouchDB#Single_node_setup_&_Security), but I can make it the default (the second part of the wiki advice being now an upstream default, I think it would make some sense).
Regards, Bruno/Archange (Arch maintainer for CouchDB)
Current thread:
- CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Jan Lehnardt (Apr 26)
- Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Archange (May 09)
- Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Jan Lehnardt (May 09)
- Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Archange (May 09)