Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Mar 2015 14:39:27 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE request: Erlang POODLE TLS vulnerability

Hi,

From the release notes of Erlang 18.0-rc1:
http://www.erlang.org/news/85
"ssl: Remove default support for SSL-3.0 and added padding check for
TLS-1.0 due to the Poodle vulnerability."

This indicates that Erlang was vulnerable to the TLS-variant of the
poodle vulnerability due to missing padding checks (see [1]).

While disabling old protocols is maybe not something covered by CVEs,
this clearly is an implementation error and thus should be considered a
vuln.


[1] https://www.imperialviolet.org/2014/12/08/poodleagain.html

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.