[Pkg-erlang-devel] Bug#961422: Bug#961422: yaws: CVE-2020-12872
Salvatore Bonaccorso
carnil at debian.org
Tue May 26 06:45:18 BST 2020
Hi Sergei!
[Cc'in security team alias]
On Sun, May 24, 2020 at 08:05:23PM +0300, Sergei Golovan wrote:
> Hi Salvatore,
>
> On Sun, May 24, 2020 at 4:09 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
> >
> > The following vulnerability was published for yaws.
> >
> > CVE-2020-12872[0]:
> > | yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS
> > | ciphers, as demonstrated by ones that allow Sweet32 attacks.
> >
>
> As far as I can see, YAWS just uses the ciphersuite offered by the Erlang ssl
> application. It indeed includes 3DES based ciphers in Erlang 19.2.1 (in stretch)
> and in Erlang 17.3 (in jessie), but doesn't do so in Erlang 21.2.6 (in
> buster) and
> in later versions (in bullseye, sid and experimental).
>
> So, currently, YAWS is vulnerable for jessie and stretch only.
Ok seems reasonable, but to be sure I actually did fill an [issue][1]
upstream (wich apparently did not go a notice until then) and they
said something similar along the lines *but* said as well "and will
consider additional work to address this CVE".
[1]: <https://github.com/erlyaws/yaws/issues/402>
That said I would like to see what they plan as further work and then
only fix this bug with that change. But I agree with you that the
underlying issue can be considered in erlang-ssl, so just clone the
bug there?
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> I would rather suggest to reassign this bug to erlang-ssl, and fix it there
> (as not only YAWS can use this list of ciphers).
Or reassign? (and track this one to see what upstream is going to do
with [1]?
> I've already prepared a patch for erlang in stretch, and if you think
> it's an acceptable way
> of fixing this bug, I'll inform the release team about it.
I think that sounds good, and then include this for the next (and
last) point release. Thanks for working on it!
> I wouldn't like to do anything about jessie, since its LTS support
> comes to an end soon.
The LTS team marked the issue as well as no-dsa so I guess this is
fine and do nothing about it in jessie.
Regards,
Salvatore
More information about the Pkg-erlang-devel
mailing list