Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 872272 (CVE-2022-37026) - <dev-lang/erlang-{24.3.4.2,25.0.2}: client authentication bypass
Summary: <dev-lang/erlang-{24.3.4.2,25.0.2}: client authentication bypass
Status: IN_PROGRESS
Alias: CVE-2022-37026
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 872500
Blocks:
  Show dependency tree
 
Reported: 2022-09-22 02:19 UTC by John Helmert III
Modified: 2022-09-25 14:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-22 02:19:15 UTC
CVE-2022-37026 (https://github.com/erlang/otp/compare/OTP-23.3.4.14...OTP-23.3.4.15):
https://erlangforums.com/c/erlang-news-announcements/91
https://erlangforums.com/t/otp-25-1-released/1854

In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.

Please stabilize 24.3.4.2
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-24 20:02:15 UTC
Thanks! Please cleanup
Comment 2 Larry the Git Cow gentoo-dev 2022-09-25 08:47:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ccbd3cc6cd04468bfced25feefd02b1b7a66caa6

commit ccbd3cc6cd04468bfced25feefd02b1b7a66caa6
Author:     Matthew Smith <matthew@gentoo.org>
AuthorDate: 2022-09-25 08:42:42 +0000
Commit:     Matthew Smith <matthew@gentoo.org>
CommitDate: 2022-09-25 08:46:31 +0000

    dev-lang/erlang: drop 24.3.3-r1, security cleanup
    
    Bug: https://bugs.gentoo.org/872272
    Signed-off-by: Matthew Smith <matthew@gentoo.org>

 dev-lang/erlang/Manifest                |   1 -
 dev-lang/erlang/erlang-24.3.3-r1.ebuild | 162 --------------------------------
 2 files changed, 163 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-25 14:01:16 UTC
Thank you! I'm not really sure what to make of the impact here, do you think it needs a GLSA?