Bug 15580

Summary:	erlang new security issue CVE-2015-2774
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	joequant, sysadmin-bugs
Version:	4	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/643372/
Whiteboard:	has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM:	erlang-R16B02-6.mga5.src.rpm	CVE:
Status comment:

Description David Walser 2015-03-27 18:42:03 CET

A CVE has been assigned for a TLS-related security issue fixed in Erlang 18.0-rc1:
http://openwall.com/lists/oss-security/2015/03/27/9

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:

David Walser 2015-03-27 18:42:09 CET

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-30 18:10:25 CEST

Ping?  Joseph, you are marked as the maintainer of this package.

Comment 2 Joseph Wang 2015-05-01 06:10:13 CEST

Hi.

Fedora fixes the issue by disabling v3, so I'm putting in the same patch.

Comment 3 Joseph Wang 2015-05-01 06:21:41 CEST

Actually it's messier.  Putting backporting a patch.

Comment 4 David Walser 2015-05-01 20:59:22 CEST

Thanks for working on this.

Build in Cauldron failed:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20150501184415.ennael.valstar.27843/log/erlang-R16B02-7.mga5/build.0.20150501184504.log

Comment 5 David Walser 2015-05-02 17:30:24 CEST

Fixed in Cauldron in erlang-R16B02-7.mga5.

Version: Cauldron => 4
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 6 David Walser 2015-05-02 17:44:41 CEST

Patched packages uploaded for Mageia 4 and Cauldron.  Thanks Joseph!

Advisory:
========================

Updated erlang packages fix security vulnerability:

Erlang's TLS-1.0 implementation failed to check padding bytes, leaving it
vulnerable to an issue similar to POODLE (CVE-2015-2774).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2774
http://openwall.com/lists/oss-security/2015/03/27/9
========================

Updated packages in core/updates_testing:
========================
erlang-stack-R16B02-2.2.mga4
erlang-base-R16B02-2.2.mga4
erlang-devel-R16B02-2.2.mga4
erlang-manpages-R16B02-2.2.mga4
erlang-appmon-R16B02-2.2.mga4
erlang-dialyzer-R16B02-2.2.mga4
erlang-diameter-R16B02-2.2.mga4
erlang-edoc-R16B02-2.2.mga4
erlang-emacs-R16B02-2.2.mga4
erlang-jinterface-R16B02-2.2.mga4
erlang-asn1-R16B02-2.2.mga4
erlang-common_test-R16B02-2.2.mga4
erlang-compiler-R16B02-2.2.mga4
erlang-cosEvent-R16B02-2.2.mga4
erlang-cosEventDomain-R16B02-2.2.mga4
erlang-cosFileTransfer-R16B02-2.2.mga4
erlang-cosNotification-R16B02-2.2.mga4
erlang-cosProperty-R16B02-2.2.mga4
erlang-cosTime-R16B02-2.2.mga4
erlang-cosTransactions-R16B02-2.2.mga4
erlang-crypto-R16B02-2.2.mga4
erlang-debugger-R16B02-2.2.mga4
erlang-docbuilder-R16B02-2.2.mga4
erlang-erl_docgen-R16B02-2.2.mga4
erlang-erl_interface-R16B02-2.2.mga4
erlang-et-R16B02-2.2.mga4
erlang-eunit-R16B02-2.2.mga4
erlang-gs-R16B02-2.2.mga4
erlang-hipe-R16B02-2.2.mga4
erlang-ic-R16B02-2.2.mga4
erlang-inets-R16B02-2.2.mga4
erlang-megaco-R16B02-2.2.mga4
erlang-mnesia-R16B02-2.2.mga4
erlang-observer-R16B02-2.2.mga4
erlang-odbc-R16B02-2.2.mga4
erlang-orber-R16B02-2.2.mga4
erlang-os_mon-R16B02-2.2.mga4
erlang-otp_mibs-R16B02-2.2.mga4
erlang-parsetools-R16B02-2.2.mga4
erlang-percept-R16B02-2.2.mga4
erlang-pman-R16B02-2.2.mga4
erlang-public_key-R16B02-2.2.mga4
erlang-reltool-R16B02-2.2.mga4
erlang-runtime_tools-R16B02-2.2.mga4
erlang-snmp-R16B02-2.2.mga4
erlang-ssh-R16B02-2.2.mga4
erlang-ssl-R16B02-2.2.mga4
erlang-syntax_tools-R16B02-2.2.mga4
erlang-test_server-R16B02-2.2.mga4
erlang-toolbar-R16B02-2.2.mga4
erlang-tools-R16B02-2.2.mga4
erlang-typer-R16B02-2.2.mga4
erlang-tv-R16B02-2.2.mga4
erlang-webtool-R16B02-2.2.mga4
erlang-wx-R16B02-2.2.mga4
erlang-xmerl-R16B02-2.2.mga4
erlang-eldap-R16B02-2.2.mga4

from erlang-R16B02-2.2.mga4.src.rpm

CC: (none) => joequant
Assignee: joequant => qa-bugs

Comment 7 claire robinson 2015-05-05 15:11:36 CEST

Testing complete mga4 32

Just ensuring all packages update cleanly and 'erl' shell opens without error.

# erl
Erlang R16B02 (erts-5.10.3) [source] [smp:2:2] [async-threads:10] [hipe] [kernel-poll:false]

Eshell V5.10.3  (abort with ^G)
1> ^C
BREAK: (a)bort (c)ontinue (p)roc info (i)nfo (l)oaded
       (v)ersion (k)ill (D)b-tables (d)istribution
a
#

claire robinson 2015-05-05 15:57:39 CEST

Whiteboard: (none) => has_procedure mga4-32-ok

Comment 8 claire robinson 2015-05-05 17:26:31 CEST

Testing complete mga4 64

Whiteboard: has_procedure mga4-32-ok => has_procedure mga4-32-ok mga4-64-ok

Comment 9 claire robinson 2015-05-05 17:30:32 CEST

Validating. Advisory uploaded.

Please push to 4 updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2015-05-05 18:38:49 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0192.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-06 19:32:39 CEST

URL: (none) => http://lwn.net/Vulnerabilities/643372/