Re: Wheezy update of erlang?
On Tue, Dec 12, 2017 at 5:21 PM, Raphael Hertzog <firstname.lastname@example.org> wrote:
> Hello Sergei,
> On Sun, 10 Dec 2017, Sergei Golovan wrote:
>> On Sun, Dec 10, 2017 at 9:52 PM, Thorsten Alteholz <email@example.com> wrote:
>> > Hi Sergei,
>> > The Debian LTS team would like to fix the security issues which are
>> > currently open in the Wheezy version of erlang:
>> > https://security-tracker.debian.org/tracker/source-package/erlang
>> > Would you like to take care of this yourself?
>> I would love to, but there's a problem. The existing fixes can't be applied to
>> the version in wheezy because it's fairly old, and the ssl application codebase
>> has been changed considerably. So, basically, I'd have to recreate the
>> fix myself. And I'm not sure I have time for this till next week.
>> Though I can test an existing patch if any.
> I tried to backport the patch from version 18 for the version that we have
> in wheezy. The resulting patch is attached. I'm not quite sure that the
> patch is correct.
> Can you review it and test it?
I've tested unpatched version (it's vunerable indeed), and then with your patch,
and I confirm that it fixes the bug. I used the YAWS web-server with
HTTPS enabled and https://github.com/robotattackorg/robot-detect as a
client for testing.
So I think you can use your patch as is.