https://bugzilla.redhat.com/show_bug.cgi?id=1206714
--- Comment #4 from David A. Cafaro <dac(a)cafaro.net> ---
Looking upstream it appears a patch for this was added in Release 17.5 and
later.
http://www.erlang.org/download/otp_src_17.5.readme
"OTP-12420 Application(s): ssl
*** POTENTIAL INCOMPATIBILITY ***
Add padding check for TLS-1.0 to remove Poodle
vulnerability from TLS 1.0, also add the option
padding_check. This option only affects TLS-1.0
connections and if set to false it disables the block
cipher padding check to be able to interoperate with
legacy software.
OTP-12458 Application(s): ssl
Add support for TLS_FALLBACK_SCSV used to prevent
undesired TLS version downgrades. If used by a client
that is vulnerable to the POODLE attack, and the server
also supports TLS_FALLBACK_SCSV, the attack can be
prevented."
I have not found a back port to the current Release 14 Beta 4 in the repos.
Do we have any status on a fix for this?
--
You are receiving this mail because:
You are on the CC list for the bug.