924915 – (CVE-2015-2774) VUL-1: CVE-2015-2774: erlang: Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation

Bug 924915 (CVE-2015-2774) - VUL-1: CVE-2015-2774: erlang: Erlang/OTP is vulnerable to Poodle in its TLS-1.0 implementation

Summary: VUL-1: CVE-2015-2774: erlang: Erlang/OTP is vulnerable to Poodle in its TLS-...

Status:	RESOLVED FIXED

Alias:	CVE-2015-2774

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/115284/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-03-30 11:45 UTC by Marcus Meissner
Modified:	2016-04-27 20:19 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2015-03-30 11:45:39 UTC

http://www.erlang.org/news/85

...
 ssl: Remove default support for SSL-3.0 and added padding check for TLS-1.0 due to the Poodle vulnerability.
...

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1206712

Comment 1 Marcus Meissner 2015-03-30 12:43:15 UTC

how is erlang talking to outside hosts iun our setups?

Comment 2 Vincent Untz 2015-03-30 13:50:14 UTC

(In reply to Marcus Meissner from comment #1)
> how is erlang talking to outside hosts iun our setups?

It should not be talking to any outside host afaik.

Comment 3 Marcus Meissner 2015-03-30 13:57:43 UTC

I put it on the planned update list for the SLE branches.

openSUSE could get fixes already.

Comment 4 Swamp Workflow Management 2015-03-30 22:01:23 UTC

bugbot adjusting priority

Comment 5 Dirk Mueller 2015-06-23 16:29:49 UTC

we don't have SSL enabled in our rabbitmq, does this really matter?

Comment 6 Marcus Meissner 2015-06-24 16:04:04 UTC

are you planning to SSL enable rabbitmq?

or upgrade to newer Erlang in newer Cloud versions?

Comment 7 Dirk Mueller 2015-06-25 10:18:10 UTC

Yes, we've updated to a fixed version in Cloud 6 since we need a newer erlang there for systemd support.

Comment 8 Marcus Meissner 2015-06-25 13:34:46 UTC

if it will be fixed in cloud 6 I am happy.

Comment 9 Nanuk Krinner 2015-06-29 08:56:24 UTC

Reassigning to security-team list, as the issue is resolved (Fixed package for Cloud 6, older Cloud versions don't have the vulnerability).

Comment 10 Andreas Stieger 2016-02-10 20:05:09 UTC

Dear openSUSE maintainer of devel:languages:erlang:Factory/erlang
Please submit a maintenance update to openSUSE:13.2:Update/erlang

Comment 11 Andreas Stieger 2016-02-15 10:59:43 UTC

openSUSE 13.2 submission processed

Comment 12 Andreas Stieger 2016-02-20 08:38:11 UTC

release for 13.2

Comment 13 Swamp Workflow Management 2016-02-20 12:12:52 UTC

openSUSE-SU-2016:0523-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 924915
CVE References: CVE-2015-2774
Sources used:
openSUSE 13.2 (src):    erlang-17.1-3.3.1