ELA-754-1 erlang security update

client authentication bypass

Version1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u2 (stretch)
Related CVEs CVE-2022-37026

A Client Authentication Bypass vulnerability has been discovered in the concurrent, real-time, distributed functional language Erlang. Impacted are those who are running an ssl/tls/dtls server using the ssl application either directly or indirectly via other applications. Note that the vulnerability only affects servers that request client certification, that is sets the option {verify, verify_peer}.

The rabbitmq-server binary package is most affected by this vulnerability. In order to remedy the problem rabbitmq-server was upgraded to version 3.6.6+really3.8.9-0+deb9u1.

Please note that the versioning scheme +really{$upstream_version} indicates the real upstream version. This was done to allow seamless upgrades from Stretch to Buster.

For Debian 9 stretch, these problems have been fixed in version 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u2.

We recommend that you upgrade your erlang packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.