Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 749345 (CVE-2020-25623) - <dev-lang/erlang-23.1.1: httpd directory traversal (CVE-2020-25623)
Summary: <dev-lang/erlang-23.1.1: httpd directory traversal (CVE-2020-25623)
Status: IN_PROGRESS
Alias: CVE-2020-25623
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/erlang/otp/release...
Whiteboard: C4 [glsa cve]
Keywords:
Depends on: CVE-2020-35733 755236
Blocks:
  Show dependency tree
 
Reported: 2020-10-15 18:57 UTC by John Helmert III
Modified: 2022-03-12 08:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-10-15 18:57:08 UTC
CVE-2020-25623:

Erlang/OTP 22.3.x before 22.3.4.6 and 23.x before 23.1 allows Directory Traversal. An attacker can send a crafted HTTP request to read arbitrary files, if httpd in the inets application is used.

Cleanup appears to be partially addressed by bug 740894, otherwise we need to stabilize a fixed version. Maintainers, please call for stabilization when ready.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-23 04:11:55 UTC
(Shifting the blocker because it'll be a pain for stabilisation).

Maintainer: ping. ready?
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-16 19:01:27 UTC
(In reply to Sam James from comment #1)
> (Shifting the blocker because it'll be a pain for stabilisation).
> 
> Maintainer: ping. ready?

It was since done in bug 753464. Please cleanup.
Comment 3 NATTkA bot gentoo-dev 2021-01-09 11:57:01 UTC Comment hidden (obsolete)
Comment 4 Larry the Git Cow gentoo-dev 2021-04-28 18:16:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f06f1d7a8d16f0c9730128c56f2a8e22e88b42a3

commit f06f1d7a8d16f0c9730128c56f2a8e22e88b42a3
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2021-04-28 18:16:02 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2021-04-28 18:16:23 +0000

    dev-lang/erlang: drop old
    
    Bug: https://bugs.gentoo.org/749345
    Bug: https://bugs.gentoo.org/765796
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-lang/erlang/Manifest             |   3 -
 dev-lang/erlang/erlang-23.0.4.ebuild | 158 -----------------------------------
 2 files changed, 161 deletions(-)
Comment 5 John Helmert III gentoo-dev Security 2021-07-25 02:12:58 UTC
GLSA request filed.
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:25:45 UTC
Package list is empty or all packages have requested keywords.
Comment 7 Matthew Smith gentoo-dev 2022-03-12 08:10:13 UTC
Affected versions no longer in tree.