This has been moved to the appropriate mailing list secur...@couchdb.apache.org
Best Jan — > On 18. Apr 2022, at 18:48, ermouth <ermo...@gmail.com> wrote: > > According to the author the issue is already filed. Also, according to the > author, the CouchDB security team response was like ‘it gonna be fixed > eventually, in future release’, which, as I understand, was anything but > satisfying and resulted in publication. > > So it’s already widely public, and my post wasn’t about vulnerability. > > It was about ‘Shouldn’t that recommendation be emitted into the CouchDB > installer?’. > > ermouth > > > пн, 18 апр. 2022 г. в 15:11, Jan Lehnardt <j...@apache.org>: > >> Hi all, >> >> please follow the official and well documented guidelines for submitting >> security related issues: https://docs.couchdb.org/en/stable/cve/index.html >> >> Thanks >> Jan >> — >> Professional Support for Apache CouchDB: >> https://neighbourhood.ie/couchdb-support/ >> >> 24/7 Observation for your CouchDB Instances: >> https://opservatory.app >> >>> On 18. Apr 2022, at 13:25, ermouth <ermo...@gmail.com> wrote: >>> >>> One very popular Russian IT resource published a well written description >>> of a known Erlang cookie vulnerability – with a recipe on how to exploit >> it >>> to gain control over Couch. >>> >>> Looks like the CouchDB manual isn’t very verbose about that issue, the >>> only mention is a recommendation about protecting Erlang cookie if a user >>> has 4369 open. >>> >>> Shouldn’t that recommendation be emitted into the CouchDB installer? >>> >>> ermouth >> >>