[Kolab-devel] Erlang security update breaks guam on Debian 10

Christoph Erhardt christoph.erhardt at sicherha.de
Sat Jul 15 00:04:21 CEST 2023


Hi all,

if my understanding is correct, CVE-2022-37026 allows an authentication bypass 
by clients when using certificate-based authentication, while 'normal' user/
password-based authentication is not affected.

If that is indeed the case, then I believe our quick fix doesn't entail an 
immediate risk to Guam users.

Nevertheless, I do feel somewhat strongly about doing things the right way. In 
our case this would mean:
1. Make OBS pull the latest Debian 10 packages, including erlang-base.
2. Revert the patch that enables ERTS bundling for Guam.
3. Rebuild Guam.

I'm happy to take care of steps 2 and 3, but step 1 needs to be done by an OBS 
admin. Christian? Jeroen?

Best,
Christoph

On Friday, 14 July 2023 16:17:42 CEST hede wrote:
> Many thanks for the short timed fix!
> 
> I think there's a reason for debian to upgrade a package (via security repo)
> so bundling the old version is indeed not a good idea. Do you have further
> plans to fix this like making guam compatible with newer erlang versions?
> 
> best regards
> hede
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/users/attachments/20230715/9a5ffc08/attachment.sig>


More information about the users mailing list