Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Mar 2015 14:39:27 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE request: Erlang POODLE TLS vulnerability

Hi,

From the release notes of Erlang 18.0-rc1:
http://www.erlang.org/news/85
"ssl: Remove default support for SSL-3.0 and added padding check for
TLS-1.0 due to the Poodle vulnerability."

This indicates that Erlang was vulnerable to the TLS-variant of the
poodle vulnerability due to missing padding checks (see [1]).

While disabling old protocols is maybe not something covered by CVEs,
this clearly is an implementation error and thus should be considered a
vuln.


[1] https://www.imperialviolet.org/2014/12/08/poodleagain.html

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.