Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 639662 (CVE-2017-1000385)

Summary: <dev-lang/erlang-20.3: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack (CVE-2017-1000385)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: maintainer-needed, maracay, slyfox
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://robotattack.org/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 649202    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2017-12-03 19:26:56 UTC 
The Erlang ssl module is vulnerable to a cryptographic attack against the RSA key exchange. This has been fixed in OTP 18.3.4.7, 19.3.6.4, 20.1.7.

Please update. Currently erlang 19.1 is stable on most archs. Depending on whether you want to continue supporting 18/19 we may need updates in multiple branches.
Comment 1 Pacho Ramos gentoo-dev 2018-04-03 07:42:41 UTC 
20.3 should get this fixed (and stabilizing it with net-im/ejabberd-17.04-r2 will finally allow to drop old branches)
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 21:46:27 UTC 
Already fixed, repository is clean. All done!