Version of erlang-otp in each ConfD release?

judegeorge · September 30, 2022, 1:28am

Is there a page or document that lists what specific version of erlang-otp is used in each release of ConfD?
I checked the release notes for ConfD 7.8.3 and found only the following:

erlang-api: The old Erlang crypto API was deprecated in OTP 23.x in
favor of the new crypto API. Furthermore, the old Erlang crypto API is
removed in OTP 24.x.
ConfD migrates to the new crypto API and also replaces erlang:phash/2
(deprecated) with erlang:phash2/2 for the econfd MAAPI cursor id.

(ENG-28212, RT:48547, PS-43659, CSCwa82880)

I ask because of this CVE: NVD - CVE-2022-37026
The CVE states:
“In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.”

It would be useful to know which versions of ConfD are not vulnerable to this. Thank you!

cohult · September 30, 2022, 6:47am

See $CONFD_DIR/VERSION.

cohult · September 30, 2022, 2:25pm

I believe you are only affected by that issue if you use mutual authentication,i.e., client authentication (not server authentication) and TLS 1.1 or 1.2 (not TLS 1.3) with the RESTCONF or JSON-RPC interfaces.
Example of RESTCONF mutual authentication, i.e., both server and client authentication:

In short, use TLS 1.3.

judegeorge · September 30, 2022, 3:23pm

Thank you, this is very helpful.