Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi release team! Recently, a weak ciphers vulnerability was discovered in the Yaws web server, and reported as CVE-2020-12872 (see [1] and [2]). It turnes out that Yaws uses the default ciphers provided by Erlang, so I think it's better to fix this bug there. If we consider only Erlang packages in stretch, buster, bullseye/sid then only the version in stretch is vulnerable, so I'd like to propose an update for it. The proposed patch is attached. It's a minimal patch which jusr removes the 3DES based ciphers from the offered list for TLS v1.0. The later Erlang versions do just that - remove these ciphers from the list. If the patch is okay then I'll upload the fixed version. [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12872 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961422 -- System Information: Debian Release: 10.4 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'proposed-updates'), (500, 'oldoldstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-9-amd64 (SMP w/12 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru erlang-19.2.1+dfsg/debian/changelog erlang-19.2.1+dfsg/debian/changelog --- erlang-19.2.1+dfsg/debian/changelog 2019-02-09 01:28:34.000000000 +0300 +++ erlang-19.2.1+dfsg/debian/changelog 2020-05-26 11:30:58.000000000 +0300 @@ -1,3 +1,10 @@ +erlang (1:19.2.1+dfsg-2+deb9u3) stretch; urgency=medium + + * Applied a patch which fixes CVE-2020-12872 vulnerability revealed + for the Yaws web server (TLS server offers weak ciphers for TLS 1.0). + + -- Sergei Golovan <sgolo...@debian.org> Tue, 26 May 2020 11:30:58 +0300 + erlang (1:19.2.1+dfsg-2+deb9u2) stretch; urgency=medium [ Andreas Beckmann ] diff -Nru erlang-19.2.1+dfsg/debian/patches/cve-2020-12872.patch erlang-19.2.1+dfsg/debian/patches/cve-2020-12872.patch --- erlang-19.2.1+dfsg/debian/patches/cve-2020-12872.patch 1970-01-01 03:00:00.000000000 +0300 +++ erlang-19.2.1+dfsg/debian/patches/cve-2020-12872.patch 2020-05-26 11:30:58.000000000 +0300 @@ -0,0 +1,25 @@ +From: Sergei Golovan <sgolo...@debian.org> +Subject: Patch removes ciphers which are now considered weak + from the default TLS ciphers list. The vulnerability was found + in the Yaws web server and described as CVE-2020-12872. + It is fixed in the later Erlang releases. +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961422 +Forwarded: no + +--- a/lib/ssl/src/tls_v1.erl ++++ b/lib/ssl/src/tls_v1.erl +@@ -204,14 +204,6 @@ + ?TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, + ?TLS_RSA_WITH_AES_256_CBC_SHA, + +- ?TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, +- ?TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, +- ?TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, +- ?TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, +- ?TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, +- ?TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, +- ?TLS_RSA_WITH_3DES_EDE_CBC_SHA, +- + ?TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + ?TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA, diff -Nru erlang-19.2.1+dfsg/debian/patches/series erlang-19.2.1+dfsg/debian/patches/series --- erlang-19.2.1+dfsg/debian/patches/series 2017-03-22 15:31:29.000000000 +0300 +++ erlang-19.2.1+dfsg/debian/patches/series 2020-05-26 11:30:58.000000000 +0300 @@ -12,3 +12,4 @@ x32.patch cve-2016-10253.patch cve-2017-1000385.patch +cve-2020-12872.patch
