ConfD User Community

Version of erlang-otp in each ConfD release?

Is there a page or document that lists what specific version of erlang-otp is used in each release of ConfD?
I checked the release notes for ConfD 7.8.3 and found only the following:

  • erlang-api: The old Erlang crypto API was deprecated in OTP 23.x in
    favor of the new crypto API. Furthermore, the old Erlang crypto API is
    removed in OTP 24.x.
    ConfD migrates to the new crypto API and also replaces erlang:phash/2
    (deprecated) with erlang:phash2/2 for the econfd MAAPI cursor id.

    (ENG-28212, RT:48547, PS-43659, CSCwa82880)

I ask because of this CVE: NVD - CVE-2022-37026
The CVE states:
“In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.”

It would be useful to know which versions of ConfD are not vulnerable to this. Thank you!

See $CONFD_DIR/VERSION.

I believe you are only affected by that issue if you use mutual authentication,i.e., client authentication (not server authentication) and TLS 1.1 or 1.2 (not TLS 1.3) with the RESTCONF or JSON-RPC interfaces.
Example of RESTCONF mutual authentication, i.e., both server and client authentication:

In short, use TLS 1.3.

Thank you, this is very helpful.