Skip to content

Automatic update of OpenVEX Statements for erlang/otp #10381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Automatic update of OpenVEX Statements for erlang/otp #10381

wants to merge 2 commits into from

Conversation

@erlang-bot-app
Copy link
Contributor

@erlang-bot-app erlang-bot-app bot commented Nov 18, 2025

Automatic Action. There is a vulnerability from GH Advisories without a matching OpenVEX statement

@CLAassistant
Copy link

CLAassistant commented Nov 18, 2025
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ kikofernandez
❌ erlang-bot-app[bot]
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 18, 2025
edited
Loading

CT Test Results

    3 files    135 suites   49m 25s ⏱️
1 655 tests 1 598 ✅ 57 💤 0 ❌
2 293 runs  2 217 ✅ 76 💤 0 ❌

Results for commit 45df779.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

@IngelaAndin IngelaAndin added the team:VM Assigned to OTP team VM label Nov 24, 2025
@kikofernandez
fix wrong starting version
45df779 
fixes wrong starting version of "CVE-2023-48795". as such, it is
included the correct generated version starting from `ssh-5.0`
kikofernandez
kikofernandez reviewed Nov 24, 2025
View reviewed changes
make/openvex.table
Comment on lines -167 to -175
{
"pkg:otp/[email protected]": "CVE-2023-48795",
"status": {
"affected": "Mitigation: If strict KEX availability cannot be ensured on both connection sides, affected encryption modes(CHACHA and CBC) can be disabled with standard ssh configuration. This will provide protection against vulnerability, but at a cost of affecting interoperability",
"fixed": [
"pkg:otp/[email protected]"
]
}
},
Copy link
Contributor

@kikofernandez kikofernandez Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the starting version I wrote for this table was not correct.

the script was able to detect that we were missing the correct version, ssh-5.0, but could not re-generate the correct versions by itself for the otp-26.openvex.json file.

This is a special case, simply because the script generates the correct versions assuming it starts from 0.
In cases where we manually write wrongly the versions, we have to simply remove the CVE and run .github/scripts/otp-compliance.es vex run -b otp-26 to generate the correct versions.

This is what my commit shows.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kikofernandez kikofernandez kikofernandez left review comments

@IngelaAndin IngelaAndin Awaiting requested review from IngelaAndin

@u3s u3s Awaiting requested review from u3s

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

team:VM Assigned to OTP team VM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@CLAassistant @kikofernandez @IngelaAndin