Windows Patch Packages?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows Patch Packages?

Peter Tirrell
Hello all,

I saw an existing recent thread about general patch packages but didn't necessarily want to hijack that thread.  I currently am using OTP 18.2.1 on Windows but became aware of security advisory CVE-2017-1000385 (https://nvd.nist.gov/vuln/detail/CVE-2017-1000385#VulnChangeHistoryDiv)

It looks like I can get OTP 18.3.4.7+ and have the advisory addressed, but I'm unclear on how to do so. The downloads page simply lists an 18.3 download and doesn't list the fixed OTP bug number in the readme.  The earlier thread I saw seemed to imply that Windows builds on the downloads page aren't updated. 

So my question is - how do I apply the latest Windows patched builds?  Are there patched Windows release builds available somewhere?  If I download a version from the downloads page, will that be the latest available major point version, including any patches for that point version? 

Or if there's a patch package put out, do I need to either compile that version from source, or wait until there is another major point version released that comes *after* that patch package was created?  For example, I'm looking for a fix for bug "OTP-14748". The only Windows build that appears to be dated since that was fixed is 20.2, yet the readme for that does not include a reference to 14748 either. 

Thanks for any info!

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Windows Patch Packages?

Onorio Catenacci
I would say that it's most likely that if you need those patch packages you'll need to pull source and build it on your own machine.

Just a guess, of course.

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Windows Patch Packages?

Jeroen Roovers
     Hi everyone,


On 21 December 2017 at 14:07, Onorio Catenacci <[hidden email]> wrote:
> I would say that it's most likely that if you need those patch packages

I would think most people want or indeed need security patches.

> you'll need to pull source and build it on your own machine.

I know I probably should have created a new thread, but I build from
source (for an embedded Linux system) and I have looked at the patch
release news for a while now, and I simply don't see proper
instructions on how to turn the patch release tags from
https://github.com/erlang/otp/releases into something resembling the
OTP releases from the main download site. It looks like
https://github.com/erlang/otp/ is missing all these bundled modules.
If there is a way to update these while building, then I would like to
know how that works, and also how that would work when
cross-compiling.

Using buildroot https://buildroot.org/ means creating a host build
(native to the build system) first and using it to create a target
build (native to the target system). This complicates steps involved
in what I can only assume means running a script (or compiles native
code?) that downloads the missing modules.

See also https://git.buildroot.net/buildroot/tree/package/erlang/erlang.mk

What puzzles me is that if you're going to announce a security
release, then why does the download page not mention that what you
download from there might be vulnerable? And in the same vein, I can
only guess that some very good reasons are stopping the OTP team from
packaging patch releases for distribution? What constraints might
those be?


Kind regards,
     jer
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Windows Patch Packages?

Ingela Andin
Hi!

2017-12-21 14:56 GMT+01:00 Jeroen Roovers <[hidden email]>:
     Hi everyone,


On 21 December 2017 at 14:07, Onorio Catenacci <[hidden email]> wrote:
> I would say that it's most likely that if you need those patch packages

I would think most people want or indeed need security patches.


I would think so too. However this patch was handled the same way as any other not planned patch release.
And you do not need to rebuild OTP to use it, it is enough to rebuild the ssl source files
only. This should be easy enough as it is only Erlang code.

We will consider if we should have some special handling for security patches in the future.

Regards Ingela Erlang/OTP Team - Ericsson AB

 

> you'll need to pull source and build it on your own machine.

I know I probably should have created a new thread, but I build from
source (for an embedded Linux system) and I have looked at the patch
release news for a while now, and I simply don't see proper
instructions on how to turn the patch release tags from
https://github.com/erlang/otp/releases into something resembling the
OTP releases from the main download site. It looks like
https://github.com/erlang/otp/ is missing all these bundled modules.
If there is a way to update these while building, then I would like to
know how that works, and also how that would work when
cross-compiling.

Using buildroot https://buildroot.org/ means creating a host build
(native to the build system) first and using it to create a target
build (native to the target system). This complicates steps involved
in what I can only assume means running a script (or compiles native
code?) that downloads the missing modules.

See also https://git.buildroot.net/buildroot/tree/package/erlang/erlang.mk

What puzzles me is that if you're going to announce a security
release, then why does the download page not mention that what you
download from there might be vulnerable? And in the same vein, I can
only guess that some very good reasons are stopping the OTP team from
packaging patch releases for distribution? What constraints might
those be?


Kind regards,
     jer
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Windows Patch Packages?

Jeroen Roovers
On 2 January 2018 at 10:50, Ingela Andin <[hidden email]> wrote:
> Hi!

> And you do not need to rebuild OTP to use it, it is enough to rebuild the
> ssl source files
> only. This should be easy enough as it is only Erlang code.

That should not be hard to integrate into the buildroot cross-compile
environment I use as long as I know what to actually do to "rebuild
the ssl source files". First I would need to fetch them from somewhere
(using some tool built for the host?) before building the target
distribution. It's not entirely clear yet how that would happen.

> We will consider if we should have some special handling for security
> patches in the future.

Thanks.


Kind regards,
     jer
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Windows Patch Packages?

Kenneth Lundin
In reply to this post by Peter Tirrell
By mistake my answer was only sent to Peter Tirell, should have been sent to the list.

Here it is


The pre built Windows installers on erlang.org are only provided for the planned releases and patch packages, they are not provided for "emergency" patches
 between or after the planned releases. 18.3 is the latest pre built Windows installer for the OTP 18 release track.

In order to apply 18.3.4.7 you have to build from source.

Another possibility if it is tricky to build on Windows, is that you build from source on Linux and then copy the only application changed by the patch to your Windows system under ERl_ROOT/lib or somewhere else if you point it out with erl -pa <Path>

Since OTP 20.2 is just a patch it only lists in its README what has been fixed since the last patch , which was 20.1.7 containing a fix for OTP-14748. You can look i the release notes for the ssl application in OTP 20.2 and find that OTP-14748 is mentioned there.

So there is a Windows build, namely 20.2 which includes the patch you are looking for.

/Regards Kenneth, Erlang/OTP Ericsson

On Wed, Dec 20, 2017 at 3:55 PM, Peter Tirrell <[hidden email]> wrote:
Hello all,

I saw an existing recent thread about general patch packages but didn't necessarily want to hijack that thread.  I currently am using OTP 18.2.1 on Windows but became aware of security advisory CVE-2017-1000385 (https://nvd.nist.gov/vuln/detail/CVE-2017-1000385#VulnChangeHistoryDiv)

It looks like I can get OTP 18.3.4.7+ and have the advisory addressed, but I'm unclear on how to do so. The downloads page simply lists an 18.3 download and doesn't list the fixed OTP bug number in the readme.  The earlier thread I saw seemed to imply that Windows builds on the downloads page aren't updated. 

So my question is - how do I apply the latest Windows patched builds?  Are there patched Windows release builds available somewhere?  If I download a version from the downloads page, will that be the latest available major point version, including any patches for that point version? 

Or if there's a patch package put out, do I need to either compile that version from source, or wait until there is another major point version released that comes *after* that patch package was created?  For example, I'm looking for a fix for bug "OTP-14748". The only Windows build that appears to be dated since that was fixed is 20.2, yet the readme for that does not include a reference to 14748 either. 

Thanks for any info!

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions



_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Windows Patch Packages?

Onorio Catenacci
In reply to this post by Peter Tirrell
Thanks for clarifying the situation Kenneth.

While I agree with those who said that everyone should want all of the security patches and such on Windows (definitely true), I am afraid that some of the folks are looking for a turnkey solution to applying these patches which is simply not the case and it's not likely to be the case at any point in the future.


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions