diff options
author | Loïc Hoguin <[email protected]> | 2023-01-09 14:03:58 +0100 |
---|---|---|
committer | Loïc Hoguin <[email protected]> | 2023-01-09 14:03:58 +0100 |
commit | bf6871b325648983df24470adb72da4c82c62b92 (patch) | |
tree | da5df2987acff852106a22370b157398950acb38 | |
parent | e0fdcedd4de721c83f6634f96036dd8c50e5d65b (diff) | |
download | ci.erlang.mk-bf6871b325648983df24470adb72da4c82c62b92.tar.gz ci.erlang.mk-bf6871b325648983df24470adb72da4c82c62b92.tar.bz2 ci.erlang.mk-bf6871b325648983df24470adb72da4c82c62b92.zip |
Add release notes for other branches
-rw-r--r-- | release-notes/OTP-18.3.4.1.1.README.txt | 88 | ||||
-rw-r--r-- | release-notes/OTP-20.3.2.1.README.txt | 44 | ||||
-rw-r--r-- | release-notes/OTP-23.2.7.5.README.txt | 40 |
3 files changed, 172 insertions, 0 deletions
diff --git a/release-notes/OTP-18.3.4.1.1.README.txt b/release-notes/OTP-18.3.4.1.1.README.txt new file mode 100644 index 0000000..b98ba1c --- /dev/null +++ b/release-notes/OTP-18.3.4.1.1.README.txt @@ -0,0 +1,88 @@ +Patch Package: OTP 18.3.4.1.1 +Git Tag: OTP-18.3.4.1.1 +Date: 2017-11-22 +Trouble Report Id: OTP-14748 +Seq num: +System: OTP +Release: 18 +Application: ssl-7.3.3.0.1 +Predecessor: OTP 18.3.4.1 + + Check out the git tag OTP-18.3.4.1.1, and build a full OTP system + including documentation. Apply one or more applications from this + build as patches to your installation using the 'otp_patch_apply' + tool. For information on install requirements, see descriptions for + each application version below. + + --------------------------------------------------------------------- + --- ssl-7.3.3.0.1 --------------------------------------------------- + --------------------------------------------------------------------- + + The ssl-7.3.3.0.1 application can be applied independently of other + applications on a full OTP 18 installation. + + --- Fixed Bugs and Malfunctions --- + + OTP-14748 Application(s): ssl + + An erlang TLS server configured with cipher suites + using rsa key exchange, may be vulnerable to an + Adaptive Chosen Ciphertext attack (AKA Bleichenbacher + attack) against RSA, which when exploited, may result + in plaintext recovery of encrypted messages and/or a + Man-in-the-middle (MiTM) attack, despite the attacker + not having gained access to the server’s private key + itself. CVE-2017-1000385 + + Exploiting this vulnerability to perform plaintext + recovery of encrypted messages will, in most practical + cases, allow an attacker to read the plaintext only + after the session has completed. Only TLS sessions + established using RSA key exchange are vulnerable to + this attack. + + Exploiting this vulnerability to conduct a MiTM attack + requires the attacker to complete the initial attack, + which may require thousands of server requests, during + the handshake phase of the targeted session within the + window of the configured handshake timeout. This attack + may be conducted against any TLS session using RSA + signatures, but only if cipher suites using RSA key + exchange are also enabled on the server. The limited + window of opportunity, limitations in bandwidth, and + latency make this attack significantly more difficult + to execute. + + RSA key exchange is enabled by default although least + prioritized if server order is honored. For such a + cipher suite to be chosen it must also be supported by + the client and probably the only shared cipher suite. + + Captured TLS sessions encrypted with ephemeral cipher + suites (DHE or ECDHE) are not at risk for subsequent + decryption due to this vulnerability. + + As a workaround if default cipher suite configuration + was used you can configure the server to not use + vulnerable suites with the ciphers option like this: + + {ciphers, [Suite || Suite <- ssl:cipher_suites(), + element(1,Suite) =/= rsa]} + + that is your code will look somethingh like this: + + ssl:listen(Port, [{ciphers, [Suite || Suite <- + ssl:cipher_suites(), element(1,S) =/= rsa]} | + Options]). + + Thanks to Hanno Böck, Juraj Somorovsky and Craig Young + for reporting this vulnerability. + + + Full runtime dependencies of ssl-7.3.3.0.1: crypto-3.3, erts-6.0, + inets-5.10.7, kernel-3.0, public_key-1.0, stdlib-2.0 + + + --------------------------------------------------------------------- + --------------------------------------------------------------------- + --------------------------------------------------------------------- diff --git a/release-notes/OTP-20.3.2.1.README.txt b/release-notes/OTP-20.3.2.1.README.txt new file mode 100644 index 0000000..f6c051d --- /dev/null +++ b/release-notes/OTP-20.3.2.1.README.txt @@ -0,0 +1,44 @@ +Patch Package: OTP 20.3.2.1 +Git Tag: OTP-20.3.2.1 +Date: 2019-02-18 +Trouble Report Id: OTP-15584 +Seq num: ERIERL-282 +System: OTP +Release: 20 +Application: common_test-1.15.4.0.1 +Predecessor: OTP 20.3.2 + + Check out the git tag OTP-20.3.2.1, and build a full OTP system + including documentation. Apply one or more applications from this + build as patches to your installation using the 'otp_patch_apply' + tool. For information on install requirements, see descriptions for + each application version below. + + --------------------------------------------------------------------- + --- common_test-1.15.4.0.1 ------------------------------------------ + --------------------------------------------------------------------- + + The common_test-1.15.4.0.1 application can be applied independently + of other applications on a full OTP 20 installation. + + --- Fixed Bugs and Malfunctions --- + + OTP-15584 Application(s): common_test + Related Id(s): ERIERL-282 + + The status of a test case which failed with timetrap + timeout in end_per_testcase could not be modified by + returning {fail,Reason} from a post_end_per_testcase + hook function. This is now corrected. + + + Full runtime dependencies of common_test-1.15.4.0.1: compiler-6.0, + crypto-3.6, debugger-4.1, erts-7.0, inets-6.0, kernel-4.0, + observer-2.1, runtime_tools-1.8.16, sasl-2.4.2, snmp-5.1.2, ssh-4.0, + stdlib-3.4, syntax_tools-1.7, tools-2.8, xmerl-1.3.8 + + + --------------------------------------------------------------------- + --------------------------------------------------------------------- + --------------------------------------------------------------------- + diff --git a/release-notes/OTP-23.2.7.5.README.txt b/release-notes/OTP-23.2.7.5.README.txt new file mode 100644 index 0000000..bc6f40e --- /dev/null +++ b/release-notes/OTP-23.2.7.5.README.txt @@ -0,0 +1,40 @@ +Patch Package: OTP 23.2.7.5 +Git Tag: OTP-23.2.7.5 +Date: 2022-06-22 +Trouble Report Id: OTP-18145 +Seq num: +System: OTP +Release: 23 +Application: ssl-10.2.4.4 +Predecessor: OTP 23.2.7.4 + + Check out the git tag OTP-23.2.7.5, and build a full OTP system + including documentation. Apply one or more applications from this + build as patches to your installation using the 'otp_patch_apply' + tool. For information on install requirements, see descriptions for + each application version below. + + --------------------------------------------------------------------- + --- ssl-10.2.4.4 ---------------------------------------------------- + --------------------------------------------------------------------- + + The ssl-10.2.4.4 application can be applied independently of other + applications on a full OTP 23 installation. + + --- Fixed Bugs and Malfunctions --- + + OTP-18145 Application(s): ssl + + Improved handling of unexpected messages during the + handshake, taking the right action for unexpected + messages. + + + Full runtime dependencies of ssl-10.2.4.4: crypto-4.2, erts-10.0, + inets-5.10.7, kernel-6.0, public_key-1.8, stdlib-3.12 + + + --------------------------------------------------------------------- + --------------------------------------------------------------------- + --------------------------------------------------------------------- + |