639662 – (CVE-2017-1000385) <dev-lang/erlang-20.3: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack (CVE-2017-1000385)

Bug 639662 (CVE-2017-1000385) - <dev-lang/erlang-20.3: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack (CVE-2017-1000385)

Summary: <dev-lang/erlang-20.3: TLS server vulnerable to Adaptive Chosen Ciphertext at...

Status:	RESOLVED FIXED

Alias:	CVE-2017-1000385

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://robotattack.org/
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	649202
Blocks:
	Show dependency tree

Reported:	2017-12-03 19:26 UTC by Hanno Böck
Modified:	2019-10-26 21:46 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2017-12-03 19:26:56 UTC

The Erlang ssl module is vulnerable to a cryptographic attack against the RSA key exchange. This has been fixed in OTP 18.3.4.7, 19.3.6.4, 20.1.7.

Please update. Currently erlang 19.1 is stable on most archs. Depending on whether you want to continue supporting 18/19 we may need updates in multiple branches.

Comment 1 Pacho Ramos gentoo-dev

2018-04-03 07:42:41 UTC

20.3 should get this fixed (and stabilizing it with net-im/ejabberd-17.04-r2 will finally allow to drop old branches)

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-26 21:46:27 UTC

Already fixed, repository is clean. All done!