Fedora has issued an advisory on November 19: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145017.html They fixed it by adding a patch here: http://pkgs.fedoraproject.org/cgit/erlang.git/commit/?h=f20&id=bc7188bc292d7f41d7dd0567d535cf1614cee597 They also disabled SSLv3, which is a good idea, here: http://pkgs.fedoraproject.org/cgit/erlang.git/commit/?h=f20&id=a296fdacf31171784e2c9436725d9fc48b5a321a Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Blocks: (none) => 14674
Newest Fedora 20 advisory for erlang, containing the SSLv3 disabling: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146184.html
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated erlang packages fixes security vulnerability: An FTP command injection flaw was found in Erlang's FTP module. Several functions in the FTP module do not properly sanitize the input before passing it into a control socket. A local attacker can use this flaw to execute arbitrary FTP commands on a system that uses this module (CVE-2014-1693). This update also disables SSLv3 by default to mitigate the POODLE issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1693 https://lists.fedoraproject.org/pipermail/package-announce/2014-December/145017.html https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146184.html ======================== Updated package in core/updates_testing: ======================== erlang-stack-R16B02-2.1.mga4 erlang-base-R16B02-2.1.mga4 erlang-devel-R16B02-2.1.mga4 erlang-manpages-R16B02-2.1.mga4 erlang-appmon-R16B02-2.1.mga4 erlang-dialyzer-R16B02-2.1.mga4 erlang-diameter-R16B02-2.1.mga4 erlang-edoc-R16B02-2.1.mga4 erlang-emacs-R16B02-2.1.mga4 erlang-jinterface-R16B02-2.1.mga4 erlang-asn1-R16B02-2.1.mga4 erlang-common_test-R16B02-2.1.mga4 erlang-compiler-R16B02-2.1.mga4 erlang-cosEvent-R16B02-2.1.mga4 erlang-cosEventDomain-R16B02-2.1.mga4 erlang-cosFileTransfer-R16B02-2.1.mga4 erlang-cosNotification-R16B02-2.1.mga4 erlang-cosProperty-R16B02-2.1.mga4 erlang-cosTime-R16B02-2.1.mga4 erlang-cosTransactions-R16B02-2.1.mga4 erlang-crypto-R16B02-2.1.mga4 erlang-debugger-R16B02-2.1.mga4 erlang-docbuilder-R16B02-2.1.mga4 erlang-erl_docgen-R16B02-2.1.mga4 erlang-erl_interface-R16B02-2.1.mga4 erlang-et-R16B02-2.1.mga4 erlang-eunit-R16B02-2.1.mga4 erlang-gs-R16B02-2.1.mga4 erlang-hipe-R16B02-2.1.mga4 erlang-ic-R16B02-2.1.mga4 erlang-inets-R16B02-2.1.mga4 erlang-megaco-R16B02-2.1.mga4 erlang-mnesia-R16B02-2.1.mga4 erlang-observer-R16B02-2.1.mga4 erlang-odbc-R16B02-2.1.mga4 erlang-orber-R16B02-2.1.mga4 erlang-os_mon-R16B02-2.1.mga4 erlang-otp_mibs-R16B02-2.1.mga4 erlang-parsetools-R16B02-2.1.mga4 erlang-percept-R16B02-2.1.mga4 erlang-pman-R16B02-2.1.mga4 erlang-public_key-R16B02-2.1.mga4 erlang-reltool-R16B02-2.1.mga4 erlang-runtime_tools-R16B02-2.1.mga4 erlang-snmp-R16B02-2.1.mga4 erlang-ssh-R16B02-2.1.mga4 erlang-ssl-R16B02-2.1.mga4 erlang-syntax_tools-R16B02-2.1.mga4 erlang-test_server-R16B02-2.1.mga4 erlang-toolbar-R16B02-2.1.mga4 erlang-tools-R16B02-2.1.mga4 erlang-typer-R16B02-2.1.mga4 erlang-tv-R16B02-2.1.mga4 erlang-webtool-R16B02-2.1.mga4 erlang-wx-R16B02-2.1.mga4 erlang-xmerl-R16B02-2.1.mga4 erlang-eldap-R16B02-2.1.mga4 from erlang-R16B02-2.1.mga4.src.rpm
Assignee: joequant => qa-bugsWhiteboard: MGA4TOO => (none)Version: Cauldron => 4Blocks: 14674 => (none)
MGA4-64 on HP Probook 6555b KDE. No installation issues. Checked that erl shell opens (cfr bug 7062)
Whiteboard: (none) => MGA4-64-OKCC: (none) => herman.viaene
MGA4-32 on Acer D620 Xfce. No installation issues. Checked that erl shell opens (cfr bug 7062)
Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
CC: (none) => sysadmin-bugsWhiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0553.html
Status: NEW => RESOLVEDResolution: (none) => FIXED