Hi Raphael, On Tue, Dec 12, 2017 at 5:21 PM, Raphael Hertzog <hert...@debian.org> wrote: > Hello Sergei, > > On Sun, 10 Dec 2017, Sergei Golovan wrote: >> On Sun, Dec 10, 2017 at 9:52 PM, Thorsten Alteholz <deb...@alteholz.de> >> wrote: >> > Hi Sergei, >> > >> > The Debian LTS team would like to fix the security issues which are >> > currently open in the Wheezy version of erlang: >> > https://security-tracker.debian.org/tracker/source-package/erlang >> > >> > Would you like to take care of this yourself? >> >> I would love to, but there's a problem. The existing fixes can't be applied >> to >> the version in wheezy because it's fairly old, and the ssl application >> codebase >> has been changed considerably. So, basically, I'd have to recreate the >> fix myself. And I'm not sure I have time for this till next week. >> >> Though I can test an existing patch if any. > > I tried to backport the patch from version 18 for the version that we have > in wheezy. The resulting patch is attached. I'm not quite sure that the > patch is correct. > > Can you review it and test it?
I've tested unpatched version (it's vunerable indeed), and then with your patch, and I confirm that it fixes the bug. I used the YAWS web-server with HTTPS enabled and https://github.com/robotattackorg/robot-detect as a client for testing. So I think you can use your patch as is. Cheers! -- Sergei Golovan
