diff options
author | Loïc Hoguin <[email protected]> | 2018-06-26 14:30:24 +0200 |
---|---|---|
committer | Loïc Hoguin <[email protected]> | 2018-06-26 14:30:24 +0200 |
commit | 4f4b441446afeadd251025d636902fa2cfa86542 (patch) | |
tree | 46d3a010d378351e61c9ed7df013b896e8bacf16 /release-notes/OTP-20.1.7.README.txt | |
parent | d934f92715a8b8fbacbf262ea21d8c5b540d96a5 (diff) | |
download | ci.erlang.mk-4f4b441446afeadd251025d636902fa2cfa86542.tar.gz ci.erlang.mk-4f4b441446afeadd251025d636902fa2cfa86542.tar.bz2 ci.erlang.mk-4f4b441446afeadd251025d636902fa2cfa86542.zip |
Add release notes for OTP-18.0+
The version 18.3.4.3 is missing and seems to have had no
announcement or README, I do not know why.
Diffstat (limited to 'release-notes/OTP-20.1.7.README.txt')
-rw-r--r-- | release-notes/OTP-20.1.7.README.txt | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/release-notes/OTP-20.1.7.README.txt b/release-notes/OTP-20.1.7.README.txt new file mode 100644 index 0000000..abbb67a --- /dev/null +++ b/release-notes/OTP-20.1.7.README.txt @@ -0,0 +1,144 @@ +Patch Package: OTP 20.1.7 +Git Tag: OTP-20.1.7 +Date: 2017-11-22 +Trouble Report Id: OTP-14632, OTP-14653, OTP-14655, OTP-14748, + OTP-14766 +Seq num: +System: OTP +Release: 20 +Application: public_key-1.5.1, ssl-8.2.2 +Predecessor: OTP 20.1.6 + + Check out the git tag OTP-20.1.7, and build a full OTP system + including documentation. Apply one or more applications from this + build as patches to your installation using the 'otp_patch_apply' + tool. For information on install requirements, see descriptions for + each application version below. + + --------------------------------------------------------------------- + --- public_key-1.5.1 ------------------------------------------------ + --------------------------------------------------------------------- + + The public_key-1.5.1 application can be applied independently of + other applications on a full OTP 20 installation. + + --- Improvements and New Features --- + + OTP-14653 Application(s): public_key + + Hostname verification: Add handling of the general name + iPAddress in certificate's subject alternative name + extension (subjAltName). + + + OTP-14766 Application(s): public_key + + Correct key handling in pkix_test_data/1 and use a + generic example mail address instead of an existing + one. + + + Full runtime dependencies of public_key-1.5.1: asn1-3.0, crypto-3.8, + erts-6.0, kernel-3.0, stdlib-2.0 + + + --------------------------------------------------------------------- + --- ssl-8.2.2 ------------------------------------------------------- + --------------------------------------------------------------------- + + Note! The ssl-8.2.2 application can *not* be applied independently of + other applications on an arbitrary OTP 20 installation. + + On a full OTP 20 installation, also the following runtime + dependency has to be satisfied: + -- public_key-1.5 (first satisfied in OTP 20.1) + + + --- Fixed Bugs and Malfunctions --- + + OTP-14632 Application(s): ssl + + TLS sessions must be registered with SNI if provided, + so that sessions where client hostname verification + would fail can not connect reusing a session created + when the server name verification succeeded. + + Thanks to Graham Christensen for reporting this. + + + OTP-14748 Application(s): ssl + + An erlang TLS server configured with cipher suites + using rsa key exchange, may be vulnerable to an + Adaptive Chosen Ciphertext attack (AKA Bleichenbacher + attack) against RSA, which when exploited, may result + in plaintext recovery of encrypted messages and/or a + Man-in-the-middle (MiTM) attack, despite the attacker + not having gained access to the server’s private key + itself. CVE-2017-1000385 + + Exploiting this vulnerability to perform plaintext + recovery of encrypted messages will, in most practical + cases, allow an attacker to read the plaintext only + after the session has completed. Only TLS sessions + established using RSA key exchange are vulnerable to + this attack. + + Exploiting this vulnerability to conduct a MiTM attack + requires the attacker to complete the initial attack, + which may require thousands of server requests, during + the handshake phase of the targeted session within the + window of the configured handshake timeout. This attack + may be conducted against any TLS session using RSA + signatures, but only if cipher suites using RSA key + exchange are also enabled on the server. The limited + window of opportunity, limitations in bandwidth, and + latency make this attack significantly more difficult + to execute. + + RSA key exchange is enabled by default although least + prioritized if server order is honored. For such a + cipher suite to be chosen it must also be supported by + the client and probably the only shared cipher suite. + + Captured TLS sessions encrypted with ephemeral cipher + suites (DHE or ECDHE) are not at risk for subsequent + decryption due to this vulnerability. + + As a workaround if default cipher suite configuration + was used you can configure the server to not use + vulnerable suites with the ciphers option like this: + + {ciphers, [Suite || Suite <- ssl:cipher_suites(), + element(1,Suite) =/= rsa]} + + that is your code will look somethingh like this: + + ssl:listen(Port, [{ciphers, [Suite || Suite <- + ssl:cipher_suites(), element(1,S) =/= rsa]} | + Options]). + + Thanks to Hanno Böck, Juraj Somorovsky and Craig Young + for reporting this vulnerability. + + + --- Improvements and New Features --- + + OTP-14655 Application(s): ssl + + If no SNI is available and the hostname is an + IP-address also check for IP-address match. This check + is not as good as a DNS hostname check and certificates + using IP-address are not recommended. + + Thanks to Graham Christensen for reporting this. + + + Full runtime dependencies of ssl-8.2.2: crypto-3.3, erts-7.0, + inets-5.10.7, kernel-3.0, public_key-1.5, stdlib-3.2 + + + --------------------------------------------------------------------- + --------------------------------------------------------------------- + --------------------------------------------------------------------- + |