2330624 – (CVE-2024-53846) CVE-2024-53846 erlang: ssl fails to validate incorrect extened key usage

Bug 2330624 (CVE-2024-53846) - CVE-2024-53846 erlang: ssl fails to validate incorrect extened key usage

Summary: CVE-2024-53846 erlang: ssl fails to validate incorrect extened key usage

Keywords:
Status:	NEW
Alias:	CVE-2024-53846
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2330644 2330645
Blocks:
TreeView+	depends on / blocked

Reported:	2024-12-05 18:01 UTC by OSIDB Bzimport
Modified:	2024-12-05 20:12 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-12-05 18:01:15 UTC

OTP is a set of Erlang libraries, which consists of the Erlang runtime system, a number of ready-to-use components mainly written in Erlang, and a set of design principles for Erlang programs. A regression was introduced into the ssl application of OTP starting at OTP-25.3.2.8, OTP-26.2, and OTP-27.0, resulting in a server or client verifying the peer when incorrect extended key usage is presented (i.e., a server will verify a client if they have server auth ext key usage and vice versa).

Note You need to log in before you can comment on or make changes to this bug.