[Pkg-erlang-devel] Wheezy update of erlang?

Sergei Golovan sgolovan at debian.org
Wed Dec 13 17:32:59 UTC 2017


Hi Raphael,

On Tue, Dec 12, 2017 at 5:21 PM, Raphael Hertzog <hertzog at debian.org> wrote:
> Hello Sergei,
>
> On Sun, 10 Dec 2017, Sergei Golovan wrote:
>> On Sun, Dec 10, 2017 at 9:52 PM, Thorsten Alteholz <debian at alteholz.de> wrote:
>> > Hi Sergei,
>> >
>> > The Debian LTS team would like to fix the security issues which are
>> > currently open in the Wheezy version of erlang:
>> > https://security-tracker.debian.org/tracker/source-package/erlang
>> >
>> > Would you like to take care of this yourself?
>>
>> I would love to, but there's a problem. The existing fixes can't be applied to
>> the version in wheezy because it's fairly old, and the ssl application codebase
>> has been changed considerably. So, basically, I'd have to recreate the
>> fix myself. And I'm not sure I have time for this till next week.
>>
>> Though I can test an existing patch if any.
>
> I tried to backport the patch from version 18 for the version that we have
> in wheezy. The resulting patch is attached. I'm not quite sure that the
> patch is correct.
>
> Can you review it and test it?

I've tested unpatched version (it's vunerable indeed), and then with your patch,
and I confirm that it fixes the bug. I used the YAWS web-server with
HTTPS enabled and https://github.com/robotattackorg/robot-detect as a
client for testing.

So I think you can use your patch as is.

Cheers!
-- 
Sergei Golovan



More information about the Pkg-erlang-devel mailing list