--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package erlang/1:19.2.1+dfsg-2+deb9u3
- From: Sergei Golovan <sgolovan@nes.ru>
- Date: Tue, 26 May 2020 12:33:55 +0300
- Message-id: <159048563502.10499.11993191995646294315.reportbug@jupiter.golovan.home>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi release team!
Recently, a weak ciphers vulnerability was discovered in the Yaws web server,
and reported as CVE-2020-12872 (see [1] and [2]).
It turnes out that Yaws uses the default ciphers provided by Erlang, so I
think it's better to fix this bug there. If we consider only Erlang packages
in stretch, buster, bullseye/sid then only the version in stretch is
vulnerable, so I'd like to propose an update for it.
The proposed patch is attached. It's a minimal patch which jusr removes the
3DES based ciphers from the offered list for TLS v1.0. The later Erlang
versions do just that - remove these ciphers from the list.
If the patch is okay then I'll upload the fixed version.
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12872
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961422
-- System Information:
Debian Release: 10.4
APT prefers stable-debug
APT policy: (500, 'stable-debug'), (500, 'proposed-updates'), (500, 'oldoldstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-9-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru erlang-19.2.1+dfsg/debian/changelog erlang-19.2.1+dfsg/debian/changelog
--- erlang-19.2.1+dfsg/debian/changelog 2019-02-09 01:28:34.000000000 +0300
+++ erlang-19.2.1+dfsg/debian/changelog 2020-05-26 11:30:58.000000000 +0300
@@ -1,3 +1,10 @@
+erlang (1:19.2.1+dfsg-2+deb9u3) stretch; urgency=medium
+
+ * Applied a patch which fixes CVE-2020-12872 vulnerability revealed
+ for the Yaws web server (TLS server offers weak ciphers for TLS 1.0).
+
+ -- Sergei Golovan <sgolovan@debian.org> Tue, 26 May 2020 11:30:58 +0300
+
erlang (1:19.2.1+dfsg-2+deb9u2) stretch; urgency=medium
[ Andreas Beckmann ]
diff -Nru erlang-19.2.1+dfsg/debian/patches/cve-2020-12872.patch erlang-19.2.1+dfsg/debian/patches/cve-2020-12872.patch
--- erlang-19.2.1+dfsg/debian/patches/cve-2020-12872.patch 1970-01-01 03:00:00.000000000 +0300
+++ erlang-19.2.1+dfsg/debian/patches/cve-2020-12872.patch 2020-05-26 11:30:58.000000000 +0300
@@ -0,0 +1,25 @@
+From: Sergei Golovan <sgolovan@debian.org>
+Subject: Patch removes ciphers which are now considered weak
+ from the default TLS ciphers list. The vulnerability was found
+ in the Yaws web server and described as CVE-2020-12872.
+ It is fixed in the later Erlang releases.
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961422
+Forwarded: no
+
+--- a/lib/ssl/src/tls_v1.erl
++++ b/lib/ssl/src/tls_v1.erl
+@@ -204,14 +204,6 @@
+ ?TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+ ?TLS_RSA_WITH_AES_256_CBC_SHA,
+
+- ?TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+- ?TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+- ?TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+- ?TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+- ?TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+- ?TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+- ?TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+-
+ ?TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ ?TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
diff -Nru erlang-19.2.1+dfsg/debian/patches/series erlang-19.2.1+dfsg/debian/patches/series
--- erlang-19.2.1+dfsg/debian/patches/series 2017-03-22 15:31:29.000000000 +0300
+++ erlang-19.2.1+dfsg/debian/patches/series 2020-05-26 11:30:58.000000000 +0300
@@ -12,3 +12,4 @@
x32.patch
cve-2016-10253.patch
cve-2017-1000385.patch
+cve-2020-12872.patch
--- End Message ---