[Pkg-erlang-devel] Bug#961422: Bug#961422: yaws: CVE-2020-12872
Sergei Golovan
sgolovan at gmail.com
Sun May 24 18:05:23 BST 2020
Hi Salvatore,
On Sun, May 24, 2020 at 4:09 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
>
> The following vulnerability was published for yaws.
>
> CVE-2020-12872[0]:
> | yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS
> | ciphers, as demonstrated by ones that allow Sweet32 attacks.
>
As far as I can see, YAWS just uses the ciphersuite offered by the Erlang ssl
application. It indeed includes 3DES based ciphers in Erlang 19.2.1 (in stretch)
and in Erlang 17.3 (in jessie), but doesn't do so in Erlang 21.2.6 (in
buster) and
in later versions (in bullseye, sid and experimental).
So, currently, YAWS is vulnerable for jessie and stretch only.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I would rather suggest to reassign this bug to erlang-ssl, and fix it there
(as not only YAWS can use this list of ciphers).
I've already prepared a patch for erlang in stretch, and if you think
it's an acceptable way
of fixing this bug, I'll inform the release team about it.
I wouldn't like to do anything about jessie, since its LTS support
comes to an end soon.
Sheers!
--
Sergei Golovan
More information about the Pkg-erlang-devel
mailing list