[Kolab-devel] Erlang security update breaks guam on Debian 10

Christian Mollekopf mollekopf at apheleia-it.ch
Mon Jul 17 07:12:51 CEST 2023


On Saturday, 15 July 2023 00:04:21 CEST you wrote:
> Hi all,
> 
> if my understanding is correct, CVE-2022-37026 allows an authentication bypass 
> by clients when using certificate-based authentication, while 'normal' user/
> password-based authentication is not affected.
> 
> If that is indeed the case, then I believe our quick fix doesn't entail an 
> immediate risk to Guam users.
> 
> Nevertheless, I do feel somewhat strongly about doing things the right way. In 
> our case this would mean:
> 1. Make OBS pull the latest Debian 10 packages, including erlang-base.
> 2. Revert the patch that enables ERTS bundling for Guam.
> 3. Rebuild Guam.
> 

I'd rather have it bundled than wake up to our packages no longer starting because the upstream erts package changed, so for unbundling we need to figure which erts version to pin first IMO.

> I'm happy to take care of steps 2 and 3, but step 1 needs to be done by an OBS 
> admin. Christian? Jeroen?
> 

Do you happen to know how to trigger such an update?
I have access, but to me it seems the OBS mostly expects to build agains a static repository.

Cheers,
Christian

> Best,
> Christoph
> 
> On Friday, 14 July 2023 16:17:42 CEST hede wrote:
> > Many thanks for the short timed fix!
> > 
> > I think there's a reason for debian to upgrade a package (via security repo)
> > so bundling the old version is indeed not a good idea. Do you have further
> > plans to fix this like making guam compatible with newer erlang versions?
> > 
> > best regards
> > hede
> > _______________________________________________
> > users mailing list
> > users at lists.kolab.org
> > https://lists.kolab.org/mailman/listinfo/users
> 
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users


More information about the devel mailing list