Bug 28252

Summary: erlang new security issue CVE-2020-35733
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Jani Välimaa <jani.valimaa>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: erlang-23.2.1-2.mga8.src.rpm CVE:
Status comment: Fixed upstream in 23.2.2

Description David Walser 2021-01-29 19:08:56 CET 
Fedora has issued an advisory today (January 29):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E4CXZWUOZELT7A5ZN6DJRQHX7L35V4PW/

The issue is fixed upstream in 23.2.2 (Fedora updated to 23.2.3).

Mageia 7 may also be affected.
David Walser 2021-01-29 19:09:13 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 23.2.2

Comment 1 Nicolas Lécureuil 2021-01-29 22:54:06 CET 
fixed in mga8

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)

Comment 2 David Walser 2021-01-29 23:15:39 CET 
Patched in erlang-23.2.1-3.mga8.
Comment 3 Nicolas Lécureuil 2021-03-04 19:32:44 CET 
mga7 is not affected.

Resolution: (none) => INVALID
Status: NEW => RESOLVED

Comment 4 David Walser 2021-03-04 22:48:18 CET 
(In reply to Nicolas Lécureuil from comment #3)
> mga7 is not affected.

Based on what?

If it's really not affected, we should reset the version to Cauldron and close as FIXED.

Status: RESOLVED => REOPENED
Resolution: INVALID => (none)

Comment 5 Nicolas Lécureuil 2021-03-05 01:07:51 CET 
based on research i did :-)

the CVE have been introduced by commit https://github.com/erlang/otp/commit/d24a220c3b867caef83026ba31d2656366da4322

we do not have this commit in mga7

cf: 

https://security-tracker.debian.org/tracker/CVE-2020-35733

Status: REOPENED => RESOLVED
Version: 7 => Cauldron
Resolution: (none) => FIXED