A CVE has been assigned for a TLS-related security issue fixed in Erlang 18.0-rc1: http://openwall.com/lists/oss-security/2015/03/27/9 Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Ping? Joseph, you are marked as the maintainer of this package.
Hi. Fedora fixes the issue by disabling v3, so I'm putting in the same patch.
Actually it's messier. Putting backporting a patch.
Thanks for working on this. Build in Cauldron failed: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20150501184415.ennael.valstar.27843/log/erlang-R16B02-7.mga5/build.0.20150501184504.log
Fixed in Cauldron in erlang-R16B02-7.mga5.
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
Patched packages uploaded for Mageia 4 and Cauldron. Thanks Joseph! Advisory: ======================== Updated erlang packages fix security vulnerability: Erlang's TLS-1.0 implementation failed to check padding bytes, leaving it vulnerable to an issue similar to POODLE (CVE-2015-2774). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2774 http://openwall.com/lists/oss-security/2015/03/27/9 ======================== Updated packages in core/updates_testing: ======================== erlang-stack-R16B02-2.2.mga4 erlang-base-R16B02-2.2.mga4 erlang-devel-R16B02-2.2.mga4 erlang-manpages-R16B02-2.2.mga4 erlang-appmon-R16B02-2.2.mga4 erlang-dialyzer-R16B02-2.2.mga4 erlang-diameter-R16B02-2.2.mga4 erlang-edoc-R16B02-2.2.mga4 erlang-emacs-R16B02-2.2.mga4 erlang-jinterface-R16B02-2.2.mga4 erlang-asn1-R16B02-2.2.mga4 erlang-common_test-R16B02-2.2.mga4 erlang-compiler-R16B02-2.2.mga4 erlang-cosEvent-R16B02-2.2.mga4 erlang-cosEventDomain-R16B02-2.2.mga4 erlang-cosFileTransfer-R16B02-2.2.mga4 erlang-cosNotification-R16B02-2.2.mga4 erlang-cosProperty-R16B02-2.2.mga4 erlang-cosTime-R16B02-2.2.mga4 erlang-cosTransactions-R16B02-2.2.mga4 erlang-crypto-R16B02-2.2.mga4 erlang-debugger-R16B02-2.2.mga4 erlang-docbuilder-R16B02-2.2.mga4 erlang-erl_docgen-R16B02-2.2.mga4 erlang-erl_interface-R16B02-2.2.mga4 erlang-et-R16B02-2.2.mga4 erlang-eunit-R16B02-2.2.mga4 erlang-gs-R16B02-2.2.mga4 erlang-hipe-R16B02-2.2.mga4 erlang-ic-R16B02-2.2.mga4 erlang-inets-R16B02-2.2.mga4 erlang-megaco-R16B02-2.2.mga4 erlang-mnesia-R16B02-2.2.mga4 erlang-observer-R16B02-2.2.mga4 erlang-odbc-R16B02-2.2.mga4 erlang-orber-R16B02-2.2.mga4 erlang-os_mon-R16B02-2.2.mga4 erlang-otp_mibs-R16B02-2.2.mga4 erlang-parsetools-R16B02-2.2.mga4 erlang-percept-R16B02-2.2.mga4 erlang-pman-R16B02-2.2.mga4 erlang-public_key-R16B02-2.2.mga4 erlang-reltool-R16B02-2.2.mga4 erlang-runtime_tools-R16B02-2.2.mga4 erlang-snmp-R16B02-2.2.mga4 erlang-ssh-R16B02-2.2.mga4 erlang-ssl-R16B02-2.2.mga4 erlang-syntax_tools-R16B02-2.2.mga4 erlang-test_server-R16B02-2.2.mga4 erlang-toolbar-R16B02-2.2.mga4 erlang-tools-R16B02-2.2.mga4 erlang-typer-R16B02-2.2.mga4 erlang-tv-R16B02-2.2.mga4 erlang-webtool-R16B02-2.2.mga4 erlang-wx-R16B02-2.2.mga4 erlang-xmerl-R16B02-2.2.mga4 erlang-eldap-R16B02-2.2.mga4 from erlang-R16B02-2.2.mga4.src.rpm
CC: (none) => joequantAssignee: joequant => qa-bugs
Testing complete mga4 32 Just ensuring all packages update cleanly and 'erl' shell opens without error. # erl Erlang R16B02 (erts-5.10.3) [source] [smp:2:2] [async-threads:10] [hipe] [kernel-poll:false] Eshell V5.10.3 (abort with ^G) 1> ^C BREAK: (a)bort (c)ontinue (p)roc info (i)nfo (l)oaded (v)ersion (k)ill (D)b-tables (d)istribution a #
Whiteboard: (none) => has_procedure mga4-32-ok
Testing complete mga4 64
Whiteboard: has_procedure mga4-32-ok => has_procedure mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0192.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/643372/