Date: Fri, 27 Mar 2015 14:39:27 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: CVE request: Erlang POODLE TLS vulnerability Hi, From the release notes of Erlang 18.0-rc1: http://www.erlang.org/news/85 "ssl: Remove default support for SSL-3.0 and added padding check for TLS-1.0 due to the Poodle vulnerability." This indicates that Erlang was vulnerable to the TLS-variant of the poodle vulnerability due to missing padding checks (see ). While disabling old protocols is maybe not something covered by CVEs, this clearly is an implementation error and thus should be considered a vuln.  https://www.imperialviolet.org/2014/12/08/poodleagain.html cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.