https://bugzilla.redhat.com/show_bug.cgi?id=1206713
--- Comment #3 from David A. Cafaro <dac(a)cafaro.net> ---
Looking upstream it appears a patch for this was added in Release 17.5 and
later.
http://www.erlang.org/download/otp_src_17.5.readme
"OTP-12420 Application(s): ssl
*** POTENTIAL INCOMPATIBILITY ***
Add padding check for TLS-1.0 to remove Poodle
vulnerability from TLS 1.0, also add the option
padding_check. This option only affects TLS-1.0
connections and if set to false it disables the block
cipher padding check to be able to interoperate with
legacy software.
OTP-12458 Application(s): ssl
Add support for TLS_FALLBACK_SCSV used to prevent
undesired TLS version downgrades. If used by a client
that is vulnerable to the POODLE attack, and the server
also supports TLS_FALLBACK_SCSV, the attack can be
prevented."
This would need to be an update from the current erlang-R16B-03.10.fc20 and
17.4-1.fc21 packages.
Do we have any status on a fix for this?
--
You are receiving this mail because:
You are on the CC list for the bug.