Date: Fri, 27 Mar 2015 14:39:27 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE request: Erlang POODLE TLS vulnerability Hi, From the release notes of Erlang 18.0-rc1: http://www.erlang.org/news/85 "ssl: Remove default support for SSL-3.0 and added padding check for TLS-1.0 due to the Poodle vulnerability." This indicates that Erlang was vulnerable to the TLS-variant of the poodle vulnerability due to missing padding checks (see ). While disabling old protocols is maybe not something covered by CVEs, this clearly is an implementation error and thus should be considered a vuln.  https://www.imperialviolet.org/2014/12/08/poodleagain.html cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ