[Pkg-erlang-devel] Bug#1059002: Bug#1059002: erlang: CVE-2023-48795
Salvatore Bonaccorso
carnil at debian.org
Tue Dec 19 11:14:12 GMT 2023
Hi Sergei,
On Tue, Dec 19, 2023 at 12:12:27PM +0300, Sergei Golovan wrote:
> Hi Salvatore,
>
> On Tue, Dec 19, 2023 at 11:24 AM Salvatore Bonaccorso <carnil at debian.org> wrote:
> >
> > Source: erlang
> > Version: 1:25.2.3+dfsg-1
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> >
> > Hi,
> >
> > The following vulnerability was published for erlang.
> >
> > CVE-2023-48795[0]:
>
> Reading the latest announcement on the Erlang mailing list I've found
> that there is an update of ssh in Erlang 25 which addresses
> CVE-2023-48795:
> https://erlang.org/pipermail/erlang-announce/2023-December/000260.html
>
> I will try to backport these changes to Erlang currently in stable if
> it's necessary. As for the unstable, the newest version will fix this
> as well.
Thanks for working on it. I would say, let's start top-down so go
first trough unstable upload, then we can assess the state for it for
the security supported suites (and if it needs a DSA or can go trough
a point release).
There might be e.g. mitigating factor if ChaCha20-Poly1305 and
Encrypt-then-MAC support is missing.
Regards,
Salvatore
More information about the Pkg-erlang-devel
mailing list