In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.
Created erlang tracking bugs for this issue: Affects: epel-all [bug 2141803] Affects: fedora-all [bug 2141804]
Relevant commit for each upstream maint branch: $ git log --no-merges --oneline -n1 --grep 'ssl: Enhanch handling of unexpected messages' origin/maint-23 cd5024867e ssl: Enhanch handling of unexpected messages $ git log --no-merges --oneline -n1 --grep 'ssl: Enhanch handling of unexpected messages' origin/maint-24 254f272890 ssl: Enhanch handling of unexpected messages $ git log --no-merges --oneline -n1 --grep 'ssl: Enhanch handling of unexpected messages' origin/maint-25 c9e9332941 ssl: Enhanch handling of unexpected messages
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:8857 https://access.redhat.com/errata/RHSA-2022:8857
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-37026