Bug 224339

Summary: lang/erlang-runtime17: vulnerable to CVE-2017-1000385 [PATCH]
Product: Ports & Packages Reporter: Stefan Grundmann <sg2342>
Component: Individual Port(s)Assignee: Jimmy Olgeni <olgeni>
Status: Closed FIXED    
Severity: Affects Many People Keywords: patch
Priority: --- Flags: bugzilla: maintainer-feedback? (olgeni)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
backport CVE-2017-1000385 from erlang-runtime18 none

Description Stefan Grundmann 2017-12-14 13:54:54 UTC 
Created attachment 188825 [details]
backport CVE-2017-1000385 from erlang-runtime18

while lang/erlang-runtime18, lang/erlang-runtime19 and lang/erlang-runtim20 received CVE-2017-1000385 related updates, erlang-runtime17 did not (it is no longer supported by upstream apparently).

see https://robotattack.org for information about the attack
https://github.com/robotattackorg/robot-detect can be used to confirm that
erlang-runtime17 is vulnerable.
http://erlang.org/pipermail/erlang-questions/2017-November/094257.html is the
Patch Package: OTP 18.3.4.7 email from the OTP team.


attached patch is (the trivial) backport of the changes in OTP 18.3.4.7.
Comment 1 Jimmy Olgeni freebsd_committer freebsd_triage 2017-12-16 21:07:56 UTC 
Patch committed. Thanks!