Bug 28252 - erlang new security issue CVE-2020-35733
Summary: erlang new security issue CVE-2020-35733
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Jani Välimaa
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-29 19:08 CET by David Walser
Modified: 2021-03-05 01:07 CET (History)
1 user (show)

See Also:
Source RPM: erlang-23.2.1-2.mga8.src.rpm
CVE:
Status comment: Fixed upstream in 23.2.2


Attachments

Description David Walser 2021-01-29 19:08:56 CET
Fedora has issued an advisory today (January 29):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E4CXZWUOZELT7A5ZN6DJRQHX7L35V4PW/

The issue is fixed upstream in 23.2.2 (Fedora updated to 23.2.3).

Mageia 7 may also be affected.
David Walser 2021-01-29 19:09:13 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 23.2.2

Comment 1 Nicolas Lécureuil 2021-01-29 22:54:06 CET
fixed in mga8

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)

Comment 2 David Walser 2021-01-29 23:15:39 CET
Patched in erlang-23.2.1-3.mga8.
Comment 3 Nicolas Lécureuil 2021-03-04 19:32:44 CET
mga7 is not affected.

Resolution: (none) => INVALID
Status: NEW => RESOLVED

Comment 4 David Walser 2021-03-04 22:48:18 CET
(In reply to Nicolas Lécureuil from comment #3)
> mga7 is not affected.

Based on what?

If it's really not affected, we should reset the version to Cauldron and close as FIXED.

Status: RESOLVED => REOPENED
Resolution: INVALID => (none)

Comment 5 Nicolas Lécureuil 2021-03-05 01:07:51 CET
based on research i did :-)

the CVE have been introduced by commit https://github.com/erlang/otp/commit/d24a220c3b867caef83026ba31d2656366da4322

we do not have this commit in mga7

cf: 

https://security-tracker.debian.org/tracker/CVE-2020-35733

Status: REOPENED => RESOLVED
Version: 7 => Cauldron
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.