Description of problem: See main report in bug 32641 Version affected : 24.3.4.7
Blocks: (none) => 32641
Thanks papoteur for raising this individual bug. The original report mentions 'Erlang ssh 5.1.1'; I do not know how this relates to the erlang SRPM version. ns80 put up erlang-24.3.4.7, but it seems that papoteur (thanks) has just re-built it. Was that for this security issue? Assigning this bug back to Yves for starters; normally ns80 does erlang, so re-assign to him if appropriate.
Whiteboard: (none) => MGA9TOOSummary: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack): erlang => CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack): erlang-sshAssignee: bugsquad => yvesbrungardVersion: 9 => Cauldron
CC: (none) => marja11CVE: (none) => CVE-2023-48795
Assignee: yvesbrungard => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: Prefix Truncation Attacks in SSH Specification (Terrapin Attack): erlang-ssh. (CVE-2023-48795) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795 https://bugs.mageia.org/show_bug.cgi?id=32641 https://www.openwall.com/lists/oss-security/2023/12/18/3 https://www.openwall.com/lists/oss-security/2023/12/19/5 https://www.openwall.com/lists/oss-security/2023/12/20/3 ======================== Updated packages in core/updates_testing: ======================== erlang-24.3.4.15-1.mga9 erlang-asn1-24.3.4.15-1.mga9 erlang-common_test-24.3.4.15-1.mga9 erlang-compiler-24.3.4.15-1.mga9 erlang-crypto-24.3.4.15-1.mga9 erlang-debugger-24.3.4.15-1.mga9 erlang-dialyzer-24.3.4.15-1.mga9 erlang-diameter-24.3.4.15-1.mga9 erlang-doc-24.3.4.15-1.mga9 erlang-edoc-24.3.4.15-1.mga9 erlang-eldap-24.3.4.15-1.mga9 erlang-erl_docgen-24.3.4.15-1.mga9 erlang-erl_interface-24.3.4.15-1.mga9 erlang-erts-24.3.4.15-1.mga9 erlang-et-24.3.4.15-1.mga9 erlang-eunit-24.3.4.15-1.mga9 erlang-examples-24.3.4.15-1.mga9 erlang-ftp-24.3.4.15-1.mga9 erlang-inets-24.3.4.15-1.mga9 erlang-jinterface-24.3.4.15-1.mga9 erlang-kernel-24.3.4.15-1.mga9 erlang-megaco-24.3.4.15-1.mga9 erlang-mnesia-24.3.4.15-1.mga9 erlang-observer-24.3.4.15-1.mga9 erlang-odbc-24.3.4.15-1.mga9 erlang-os_mon-24.3.4.15-1.mga9 erlang-parsetools-24.3.4.15-1.mga9 erlang-public_key-24.3.4.15-1.mga9 erlang-reltool-24.3.4.15-1.mga9 erlang-runtime_tools-24.3.4.15-1.mga9 erlang-sasl-24.3.4.15-1.mga9 erlang-snmp-24.3.4.15-1.mga9 erlang-ssh-24.3.4.15-1.mga9 erlang-ssl-24.3.4.15-1.mga9 erlang-stdlib-24.3.4.15-1.mga9 erlang-syntax_tools-24.3.4.15-1.mga9 erlang-tftp-24.3.4.15-1.mga9 erlang-tools-24.3.4.15-1.mga9 erlang-wx-24.3.4.15-1.mga9 erlang-xmerl-24.3.4.15-1.mga9 from SRPM: erlang-24.3.4.15-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Version: Cauldron => 9Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugs
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
Created attachment 14269 [details] Log of the test of earlang packages Test done in real hardware Mageia 9 x86_64 lxqt Install current versions of the packages Update to testing packages Not issues in the update as you can see in the log
Tested in a VirtualBox MGA9-64 Plasma guest. I installed erlang, which pulled in most if not all of the others, then updated using qarepo. There were no installation issues. Even more out of my depth than before, if that's possible, I used the same basic test as in bug 31190: Referenced https://www.tutorialspoint.com/erlang/erlang_basic_syntax.htm for a basic example: Created a file named helloworld.erl: % hello world program -module(helloworld). -import(io,[fwrite/1]). -export([start/0]). start() -> fwrite("Hello, world!\n"). Compiled it and ran it: [tom@localhost ~]$ erlc helloworld.erl 2>&1 [tom@localhost ~]$ erl -noshell -s helloworld start -s init stop Hello, world! This is the same result as in Bug 31190, and the expected result according to the above link. That basic function test was enough for an OK in the previous bug, so I'm calling it OK for this one, too. Validating.
Whiteboard: (none) => MGA9-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Blocks: (none) => 32748
Blocks: 32748 => (none)
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0015.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED