[Pkg-erlang-devel] Bug#1024632: Bug#1024632: erlang: CVE-2022-37026 Client Authentication Bypass

Salvatore Bonaccorso carnil at debian.org
Thu Dec 8 21:13:43 GMT 2022


Sergei, Markus,

On Wed, Nov 30, 2022 at 04:25:17PM +0300, Sergei Golovan wrote:
> Hi Markus,
> 
> On Wed, Nov 30, 2022 at 4:15 PM Markus Koschany <apo at debian.org> wrote:
> >
> > Hello,
> >
> > I have prepared a security update for Bullseye which fixes CVE-2022-37026.
> > Sergei could you review the update please? I am attaching the debdiff.
> 
> I'm also preparing a fix for CVE-2022-37026, but I'll gladly consider
> your patch first. Thank you for the work!

The upcoming point release for 11.6 is scheduled for 17th with
uploading window closing the upcoming weekend. If we are confident
enough about potential regressions, can you make sure the fix land in
the next bullseye point release?

Note, there is some concern, as
https://bugzilla.suse.com/show_bug.cgi?id=1205318#c14 might be
relevant, do you know more about regressions? Or are we safe applying
the known regression fixes as tracked in the security-tracker?

Regards,
Salvatore



More information about the Pkg-erlang-devel mailing list