Hi Sergei! [Cc'in security team alias]
On Sun, May 24, 2020 at 08:05:23PM +0300, Sergei Golovan wrote: > Hi Salvatore, > > On Sun, May 24, 2020 at 4:09 PM Salvatore Bonaccorso <[email protected]> > wrote: > > > > The following vulnerability was published for yaws. > > > > CVE-2020-12872[0]: > > | yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS > > | ciphers, as demonstrated by ones that allow Sweet32 attacks. > > > > As far as I can see, YAWS just uses the ciphersuite offered by the Erlang ssl > application. It indeed includes 3DES based ciphers in Erlang 19.2.1 (in > stretch) > and in Erlang 17.3 (in jessie), but doesn't do so in Erlang 21.2.6 (in > buster) and > in later versions (in bullseye, sid and experimental). > > So, currently, YAWS is vulnerable for jessie and stretch only. Ok seems reasonable, but to be sure I actually did fill an [issue][1] upstream (wich apparently did not go a notice until then) and they said something similar along the lines *but* said as well "and will consider additional work to address this CVE". [1]: <https://github.com/erlyaws/yaws/issues/402> That said I would like to see what they plan as further work and then only fix this bug with that change. But I agree with you that the underlying issue can be considered in erlang-ssl, so just clone the bug there? > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > I would rather suggest to reassign this bug to erlang-ssl, and fix it there > (as not only YAWS can use this list of ciphers). Or reassign? (and track this one to see what upstream is going to do with [1]? > I've already prepared a patch for erlang in stretch, and if you think > it's an acceptable way > of fixing this bug, I'll inform the release team about it. I think that sounds good, and then include this for the next (and last) point release. Thanks for working on it! > I wouldn't like to do anything about jessie, since its LTS support > comes to an end soon. The LTS team marked the issue as well as no-dsa so I guess this is fine and do nothing about it in jessie. Regards, Salvatore
