765796 – (CVE-2020-35733) <dev-lang/erlang-23.2.2: Invalid TLS certificate validation (CVE-2020-35733)

Bug 765796 (CVE-2020-35733) - <dev-lang/erlang-23.2.2: Invalid TLS certificate validation (CVE-2020-35733)

Summary: <dev-lang/erlang-23.2.2: Invalid TLS certificate validation (CVE-2020-35733)

Status:	IN_PROGRESS

Alias:	CVE-2020-35733

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://erlang.org/pipermail/erlang-q...
Whiteboard:	B4 [glsa? cve]
Keywords:

Depends on:	755236
Blocks:	CVE-2020-25623
	Show dependency tree

Reported:	2021-01-17 19:53 UTC by Sam James
Modified:	2023-10-03 16:37 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-01-17 19:53:23 UTC

Description:
"An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority."

Comment 1 Sam James archtester

2021-01-17 19:53:53 UTC

Please tell us when ready to stable, expedited if possible.

Comment 2 Sam James archtester

2021-01-28 03:01:41 UTC

ping?

Comment 3 John Helmert III archtester

2021-02-06 16:43:29 UTC

Erlang 23.2.1 isn't sufficient to fix this bug.

Comment 4 NATTkA bot gentoo-dev

2021-03-06 10:16:56 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-lang/erlang-23.2.2

Comment 5 John Helmert III archtester

2021-03-06 14:57:18 UTC

Stabilization was done in bug 773016. Please cleanup.

Comment 6 John Helmert III archtester

2021-03-13 16:14:24 UTC

Ping. Please cleanup.

Comment 7 Larry the Git Cow gentoo-dev

2021-04-28 18:16:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f06f1d7a8d16f0c9730128c56f2a8e22e88b42a3

commit f06f1d7a8d16f0c9730128c56f2a8e22e88b42a3
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2021-04-28 18:16:02 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2021-04-28 18:16:23 +0000

    dev-lang/erlang: drop old
    
    Bug: https://bugs.gentoo.org/749345
    Bug: https://bugs.gentoo.org/765796
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-lang/erlang/Manifest             |   3 -
 dev-lang/erlang/erlang-23.0.4.ebuild | 158 -----------------------------------
 2 files changed, 161 deletions(-)

Comment 8 John Helmert III archtester

2021-07-25 02:12:57 UTC

GLSA request filed.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 17:24:28 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 10 NATTkA bot gentoo-dev

2021-07-29 17:32:58 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 11 NATTkA bot gentoo-dev

2021-07-29 17:40:49 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 12 NATTkA bot gentoo-dev

2021-07-29 17:48:59 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 18:04:55 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 NATTkA bot gentoo-dev

2021-07-29 18:13:13 UTC

Package list is empty or all packages have requested keywords.

Comment 15 Matthew Smith gentoo-dev

2022-03-12 08:09:54 UTC

Affected versions no longer in tree.