Security update for erlang SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:3255-1 Final 1 1 2017-12-08T19:42:15Z current 2017-12-08T19:42:15Z 2017-12-08T19:42:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for erlang This update for erlang fixes security issues and bugs. The following vulnerabilities were addressed: - CVE-2017-1000385: Harden against the Bleichenbacher attacher against RSA - CVE-2016-10253: Heap overflow through regular expressions (bsc#1030062) In addition Erlang was updated to version 18.3.4.6, containing a number of upstream bug fixes and improvements. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2017-1358 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1030062 SUSE Bug 1030062 https://www.suse.com/security/cve/CVE-2016-10253/ SUSE CVE CVE-2016-10253 page https://www.suse.com/security/cve/CVE-2017-1000385/ SUSE CVE CVE-2017-1000385 page SUSE Package Hub 12 erlang-18.3.4.7-9.1 erlang-debugger-18.3.4.7-9.1 erlang-debugger-src-18.3.4.7-9.1 erlang-dialyzer-18.3.4.7-9.1 erlang-dialyzer-src-18.3.4.7-9.1 erlang-diameter-18.3.4.7-9.1 erlang-diameter-src-18.3.4.7-9.1 erlang-doc-18.3.4.7-9.1 erlang-epmd-18.3.4.7-9.1 erlang-et-18.3.4.7-9.1 erlang-et-src-18.3.4.7-9.1 erlang-gs-18.3.4.7-9.1 erlang-gs-src-18.3.4.7-9.1 erlang-jinterface-18.3.4.7-9.1 erlang-jinterface-src-18.3.4.7-9.1 erlang-observer-18.3.4.7-9.1 erlang-observer-src-18.3.4.7-9.1 erlang-reltool-18.3.4.7-9.1 erlang-reltool-src-18.3.4.7-9.1 erlang-src-18.3.4.7-9.1 erlang-wx-18.3.4.7-9.1 erlang-wx-src-18.3.4.7-9.1 erlang-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-debugger-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-debugger-src-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-dialyzer-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-dialyzer-src-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-diameter-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-diameter-src-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-doc-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-epmd-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-et-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-et-src-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-gs-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-gs-src-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-jinterface-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-jinterface-src-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-observer-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-observer-src-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-reltool-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-reltool-src-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-src-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-wx-18.3.4.7-9.1 as a component of SUSE Package Hub 12 erlang-wx-src-18.3.4.7-9.1 as a component of SUSE Package Hub 12 An issue was discovered in Erlang/OTP 18.x. Erlang's generation of compiled regular expressions is vulnerable to a heap overflow. Regular expressions using a malformed extpattern can indirectly specify an offset that is used as an array index. This ordinal permits arbitrary regions within the erts_alloc arena to be both read and written to. CVE-2016-10253 SUSE Package Hub 12:erlang-18.3.4.7-9.1 SUSE Package Hub 12:erlang-debugger-18.3.4.7-9.1 SUSE Package Hub 12:erlang-debugger-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-dialyzer-18.3.4.7-9.1 SUSE Package Hub 12:erlang-dialyzer-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-diameter-18.3.4.7-9.1 SUSE Package Hub 12:erlang-diameter-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-doc-18.3.4.7-9.1 SUSE Package Hub 12:erlang-epmd-18.3.4.7-9.1 SUSE Package Hub 12:erlang-et-18.3.4.7-9.1 SUSE Package Hub 12:erlang-et-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-gs-18.3.4.7-9.1 SUSE Package Hub 12:erlang-gs-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-jinterface-18.3.4.7-9.1 SUSE Package Hub 12:erlang-jinterface-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-observer-18.3.4.7-9.1 SUSE Package Hub 12:erlang-observer-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-reltool-18.3.4.7-9.1 SUSE Package Hub 12:erlang-reltool-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-wx-18.3.4.7-9.1 SUSE Package Hub 12:erlang-wx-src-18.3.4.7-9.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-10253.html CVE-2016-10253 https://bugzilla.suse.com/1030062 SUSE Bug 1030062 The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack). CVE-2017-1000385 SUSE Package Hub 12:erlang-18.3.4.7-9.1 SUSE Package Hub 12:erlang-debugger-18.3.4.7-9.1 SUSE Package Hub 12:erlang-debugger-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-dialyzer-18.3.4.7-9.1 SUSE Package Hub 12:erlang-dialyzer-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-diameter-18.3.4.7-9.1 SUSE Package Hub 12:erlang-diameter-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-doc-18.3.4.7-9.1 SUSE Package Hub 12:erlang-epmd-18.3.4.7-9.1 SUSE Package Hub 12:erlang-et-18.3.4.7-9.1 SUSE Package Hub 12:erlang-et-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-gs-18.3.4.7-9.1 SUSE Package Hub 12:erlang-gs-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-jinterface-18.3.4.7-9.1 SUSE Package Hub 12:erlang-jinterface-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-observer-18.3.4.7-9.1 SUSE Package Hub 12:erlang-observer-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-reltool-18.3.4.7-9.1 SUSE Package Hub 12:erlang-reltool-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-src-18.3.4.7-9.1 SUSE Package Hub 12:erlang-wx-18.3.4.7-9.1 SUSE Package Hub 12:erlang-wx-src-18.3.4.7-9.1 moderate 6.1 AV:N/AC:H/Au:N/C:C/I:P/A:N 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-1000385.html CVE-2017-1000385 https://bugzilla.suse.com/1070960 SUSE Bug 1070960