Bump erlang version to cover CVE-2022-37026

Change-Id: Iff473a20c4b586acfa11d67a9d6cc73d9518e8e1
2023-01-20 17:42:39 +01:00 · 2023-01-20 17:42:39 +01:00 · dffbf793ee
parent 0a692b02f8
commit dffbf793ee
3 changed files with 7 additions and 2 deletions
--- a/releasenotes/notes/erlang_cve_37026-bdf6304e7772cf29.yaml
+++ b/releasenotes/notes/erlang_cve_37026-bdf6304e7772cf29.yaml
@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Erlang version was bumped to 24.3.4.7 to cover CVE-2022-37026
+    which has critical severity
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -35,7 +35,7 @@ _rabbitmq_erlang_repo:
  state: "present"
  filename: els_erlang

-_rabbitmq_erlang_version_spec: "{{ (rabbitmq_install_method == 'external_repo') | ternary('1:24.3.4-1', '1:22.*') }}"
+_rabbitmq_erlang_version_spec: "{{ (rabbitmq_install_method == 'external_repo') | ternary('1:24.3.4.7-1', '1:22.*') }}"

 rabbitmq_dependencies:
  - erlang-base
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -15,7 +15,7 @@

 _rabbitmq_install_method: external_repo
 _rabbitmq_package_version: 3.10.2-1
-_erlang_package_version: 24.3.4-1
+_erlang_package_version: 24.3.4.7-1

 # NOTE(noonedeadpunk): List of available packages can be searched here: https://cloudsmith.io/~rabbitmq/repos/