|
Message-ID: <20150327143927.60a73799@pc1.fritz.box>
Date: Fri, 27 Mar 2015 14:39:27 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE request: Erlang POODLE TLS vulnerability
Hi,
From the release notes of Erlang 18.0-rc1:
http://www.erlang.org/news/85
"ssl: Remove default support for SSL-3.0 and added padding check for
TLS-1.0 due to the Poodle vulnerability."
This indicates that Erlang was vulnerable to the TLS-variant of the
poodle vulnerability due to missing padding checks (see [1]).
While disabling old protocols is maybe not something covered by CVEs,
this clearly is an implementation error and thus should be considered a
vuln.
[1] https://www.imperialviolet.org/2014/12/08/poodleagain.html
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno@...eck.de
GPG: BBB51E42
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.