We are currently using the SSH module from OTP-18.3.4.11, integrated with NSC 4.7.0 and Confd 6.7.3.2 (both leveraging Erlang/OTP 18.3.4.11 from 2016) for Netconf functionality in our product. As these versions are now EOL, we are working to address known security vulnerabilities.
I am seeking assistance in backporting the following security fixes to the OTP-18.3.4.11 branch:
- Unauthenticated Remote Code Execution in Erlang/OTP SSH
- [KEX init error resulting in excessive memory usage]
(KEX init error results with excessive memory usage Ā· Advisory Ā· erlang/otp Ā· GitHub) - [SSH SFTP packet size not verified properly]
(SSH SFTP packet size not verified properly Ā· Advisory Ā· erlang/otp Ā· GitHub) - [SSL fails to validate incorrect extended key usage]
(ssl fails to validate incorrect extended key usage Ā· Advisory Ā· erlang/otp Ā· GitHub)
Initially, I would appreciate help in identifying the specific commits associated with each of these issues. Following that, any guidance on how to correctly port the changes to the OTP-18.3.4.11 tag would be incredibly helpful.
By way of background, this is my first experience working with the Erlang languageāmy primary programming experience is in Java, Python, and Bash. While I have successfully built and compiled the OTP-18.3.4.11 branch, navigating the Erlang codebase and syntax is challenging at times.
I reached out to Lukas Larsson, who kindly suggested posting here for community support. I would be very grateful for any advice, guidance, or help that could be provided to assist in patching this older software version.
Thank you very much in advance for your time and support!
Best regards,
Bhavesh