[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of erlang?

Hi Raphael,

On Tue, Dec 12, 2017 at 5:21 PM, Raphael Hertzog <hertzog@debian.org> wrote:
> Hello Sergei,
> On Sun, 10 Dec 2017, Sergei Golovan wrote:
>> On Sun, Dec 10, 2017 at 9:52 PM, Thorsten Alteholz <debian@alteholz.de> wrote:
>> > Hi Sergei,
>> >
>> > The Debian LTS team would like to fix the security issues which are
>> > currently open in the Wheezy version of erlang:
>> > https://security-tracker.debian.org/tracker/source-package/erlang
>> >
>> > Would you like to take care of this yourself?
>> I would love to, but there's a problem. The existing fixes can't be applied to
>> the version in wheezy because it's fairly old, and the ssl application codebase
>> has been changed considerably. So, basically, I'd have to recreate the
>> fix myself. And I'm not sure I have time for this till next week.
>> Though I can test an existing patch if any.
> I tried to backport the patch from version 18 for the version that we have
> in wheezy. The resulting patch is attached. I'm not quite sure that the
> patch is correct.
> Can you review it and test it?

I've tested unpatched version (it's vunerable indeed), and then with your patch,
and I confirm that it fixes the bug. I used the YAWS web-server with
HTTPS enabled and https://github.com/robotattackorg/robot-detect as a
client for testing.

So I think you can use your patch as is.

Sergei Golovan

Reply to: