[Kolab-devel] Erlang security update breaks guam on Debian 10
Christoph Erhardt
christoph.erhardt at sicherha.de
Sat Jul 15 00:04:21 CEST 2023
Hi all,
if my understanding is correct, CVE-2022-37026 allows an authentication bypass
by clients when using certificate-based authentication, while 'normal' user/
password-based authentication is not affected.
If that is indeed the case, then I believe our quick fix doesn't entail an
immediate risk to Guam users.
Nevertheless, I do feel somewhat strongly about doing things the right way. In
our case this would mean:
1. Make OBS pull the latest Debian 10 packages, including erlang-base.
2. Revert the patch that enables ERTS bundling for Guam.
3. Rebuild Guam.
I'm happy to take care of steps 2 and 3, but step 1 needs to be done by an OBS
admin. Christian? Jeroen?
Best,
Christoph
On Friday, 14 July 2023 16:17:42 CEST hede wrote:
> Many thanks for the short timed fix!
>
> I think there's a reason for debian to upgrade a package (via security repo)
> so bundling the old version is indeed not a good idea. Do you have further
> plans to fix this like making guam compatible with newer erlang versions?
>
> best regards
> hede
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/devel/attachments/20230715/9a5ffc08/attachment.sig>
More information about the devel
mailing list