[Git][security-tracker-team/security-tracker][master] Add some new erlang issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1d98a3df by Salvatore Bonaccorso at 2026-06-10T22:53:34+02:00
Add some new erlang issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -110,9 +110,15 @@ CVE-2026-49822 (Fission is an open-source, Kubernetes-native serverless framewor
 CVE-2026-49821 (Fission is an open-source, Kubernetes-native serverless framework that ...)
 	NOT-FOR-US: Fission
 CVE-2026-49760 (Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface ...)
-	TODO: check
+	- erlang <unfixed>
+	NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-49760
+	NOTE: https://cna.erlef.org/cves/CVE-2026-49760.html
+	NOTE: Fixed by: https://github.com/erlang/otp/commit/0bef277b2d39dc8babb9ceb4f5d0a456f3007111 (OTP-29.0.2, OTP-28.5.0.2, OTP-27.3.4.13)
 CVE-2026-49759 (Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv ...)
-	TODO: check
+	- erlang <unfixed>
+	NOTE: https://cna.erlef.org/cves/CVE-2026-49759.html
+	NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-49759
+	NOTE: Fixed by: https://github.com/erlang/otp/commit/3983d495284331c121f600a80bac9fcf4e16381e (OTP-29.0.2, OTP-28.5.0.2, OTP-27.3.4.13)
 CVE-2026-49498 (Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the  ...)
 	TODO: check
 CVE-2026-49497 (Ghidra before 12.1 contains a path traversal vulnerability in SameDirD ...)
@@ -124,15 +130,36 @@ CVE-2026-49495 (Ghidra 10.2 before 12.1 contains an uncontrolled resource consum
 CVE-2026-49069 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
 	NOT-FOR-US: WordPress plugin or theme
 CVE-2026-48860 (Reliance on IP Address for Authentication vulnerability in Erlang/OTP  ...)
-	TODO: check
+	- erlang <unfixed>
+	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-gp7x-mfv6-52cv
+	NOTE: https://cna.erlef.org/cves/CVE-2026-48860.html
+	NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-48860
+	NOTE: Fixed by: https://github.com/erlang/otp/commit/0209a6df65d605552b378273027b3968b35f26b4 (OTP-29.0.2, OTP-28.5.0.2, OTP-27.3.4.13)
 CVE-2026-48859 (Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_aut ...)
-	TODO: check
+	- erlang <not-affected> (Vulnerable code not present)
+	NOTE: https://cna.erlef.org/cves/CVE-2026-48859.html
+	NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-48859
+	NOTE: Introduced with: https://github.com/erlang/otp/commit/032d1bc9491a3975c68faf9bc7776115d6ae3005 (OTP-29.0-rc2)
+	NOTE: Fixed by: https://github.com/erlang/otp/commit/c342092ef4b369bb409d5b71ac8fd83bab74aedf (OTP-29.0.2)
 CVE-2026-48858 (Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ft ...)
-	TODO: check
+	- erlang <unfixed>
+	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-24cv-hwgr-37fq
+	NOTE: https://cna.erlef.org/cves/CVE-2026-48858.html
+	NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-48858
+	NOTE: Fixed by: https://github.com/erlang/otp/commit/2691a806231ffd0490a8a9e20500dec0c7e73727 (OTP-29.0.2, OTP-28.5.0.2)
+	NOTE: Fixed by: https://github.com/erlang/otp/commit/521bcfa24407ee8cb5614823cf905c37ea3aa605 (OTP-27.3.4.13)
 CVE-2026-48856 (Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_respo ...)
-	TODO: check
+	- erlang <unfixed>
+	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh
+	NOTE: https://cna.erlef.org/cves/CVE-2026-48856.html
+	NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-48856
+	NOTE: Fixed by: https://github.com/erlang/otp/commit/688d748d6f7a6a06b13b662a1d3de8af97079612 (OTP-29.0.2, OTP-28.5.0.2, OTP-27.3.4.13)
 CVE-2026-48855 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...)
-	TODO: check
+	- erlang <unfixed>
+	NOTE: https://github.com/erlang/otp/security/advisories/GHSA-pv7g-pjrq-x2fh
+	NOTE: https://cna.erlef.org/cves/CVE-2026-48855.html
+	NOTE: https://osv.dev/vulnerability/EEF-CVE-2026-48855
+	NOTE: Fixed by: https://github.com/erlang/otp/commit/8f4224a0d2676b0653d2c71a889a956e8c2c62d6 (OTP-29.0.2, OTP-28.5.0.2, OTP-27.3.4.13)
 CVE-2026-48556
 	REJECTED
 CVE-2026-48096 (OpenFGA is an authorization/permission engine built for developers. Pr ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d98a3dff2803cb0014b79584106fe6a7e631f44

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d98a3dff2803cb0014b79584106fe6a7e631f44
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260610/2a3274aa/attachment-0001.htm>