Re: CVE Request -- Erlang/OTP R14, Erlang/OTP R14B01, Erlang/OTP R14B02 -- multiple security fixes

[Hans Bolinder <hans.bolinder () ericsson com>]

[Jan Lieskovsky:]
>    based on:
>    [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619857
>
>    and:
>    [2] http://www.erlang.org/download/otp_src_R14B.readme
>    [3] http://www.erlang.org/download/otp_src_R14B01.readme
>    [4] http://www.erlang.org/download/otp_src_R14B02.readme
>
> performed some initial issues review -- erlang-CVE-request.txt
> attached. But since not sure, which of those are real security
> flaws and how many CVE ids will be needed for those, Cc-ing
> also Erlang upstream developers to shed more light into this.
> ...
> could you please have a look at the attached review file
> and reply which of the #20 OTPs in the list are security flaws
> (so we would know the count of CVE identifiers needed) and which
> are just bugs? (since you know the Erlang code better than me)

> stdlib:
>   - 20), race condition/silent data corruption in dets OTP-8898
>     Patch: https://github.com/erlang/otp/commit/4e79fa3b1b6797f2583848d307d6b85cec94a920
>     Note: Hard to tell if has security implications

It's a bug fix, and I believe it has no security implications.

Best regards,

Hans Bolinder, Erlang/OTP team, Ericsson