PublicDateAtUSN: 2017-12-12
Candidate: CVE-2017-1000385
PublicDate: 2017-12-12 21:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000385
 https://groups.google.com/forum/#!topic/erlang-programming/J0LH-j6fRlM
 https://ubuntu.com/security/notices/USN-3571-1
Description:
 The Erlang otp TLS server answers with different TLS alerts to different
 error types in the RSA PKCS #1 1.5 padding. This allows an attacker to
 decrypt content or sign messages with the server's private key (this is a
 variation of the Bleichenbacher attack).
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Hanno Böck, Juraj Somorovsky and Craig Young
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_erlang:
 upstream: https://github.com/erlang/otp/commit/38b07caa2a1c6cd3537eadd36770afa54f067562 (OTP-20.1.7)
 upstream: https://github.com/erlang/otp/commit/3b4386dd19b7e669f557c95ace8d7ba228291927 (OTP-19.3.6.4)
 upstream: https://github.com/erlang/otp/commit/de3b9cdb8521d7edd524b4e17d1e3f883f832ec0 (OTP-18.3.4.7)
upstream_erlang: needs-triage
precise/esm_erlang: DNE
trusty_erlang: released (1:16.b.3-dfsg-1ubuntu2.2)
trusty/esm_erlang: released (1:16.b.3-dfsg-1ubuntu2.2)
xenial_erlang: released (1:18.3-dfsg-1ubuntu3.1)
esm-infra/xenial_erlang: released (1:18.3-dfsg-1ubuntu3.1)
zesty_erlang: ignored (reached end-of-life)
artful_erlang: released (1:20.0.4+dfsg-1ubuntu1.1)
devel_erlang: not-affected (1:20.1.7+dfsg-1ubuntu1)