[Pkg-erlang-devel] erlang_23.2.6+dfsg-1+deb11u2_source.changes ACCEPTED into oldstable-proposed-updates->oldstable-new

Debian FTP Masters ftpmaster at ftp-master.debian.org
Sun Apr 20 22:49:07 BST 2025 

Thank you for your contribution to Debian.

Mapping bullseye to oldstable.
Mapping oldstable to oldstable-proposed-updates.

Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 20 Apr 2025 11:42:54 +0200
Source: erlang
Architecture: source
Version: 1:23.2.6+dfsg-1+deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: Debian Erlang Packagers <pkg-erlang-devel at lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca at debian.org>
Closes: 1059002 1101713 1103442
Changes:
 erlang (1:23.2.6+dfsg-1+deb11u2) bullseye; urgency=medium
 .
   * Non Maintainer Upload by LTS Team
 .
   [Sergei Golovan]
   * Add a patch from upstream which fixes segfaults on heavy load because
     the process message queue can be left in an inconsistent state when
     changing from on_heap to off_heap message queue data.
 .
   [Bastien Roucariès]
   * Fix CVE-2023-48795 (Terrapin attack):
     The SSH transport protocol with certain OpenSSH extensions,
     allows remote attackers to bypass integrity checks such
     that some packets are omitted (from the extension
     negotiation message), and a client and server may
     consequently end up with a connection for which
     some security features have been downgraded.
     .
     ssh can negotiate "strict KEX" OpenSSH extension with
     peers supporting it; also
     'chacha20-poly1305 at openssh.com' algorithm becomes a
     less preferred cipher.
     .
     If strict KEX availability cannot be ensured on both
     connection sides, affected encryption modes(CHACHA and
     CBC) can be disabled with standard ssh configuration.
     This will provide protection against vulnerability, but
     at a cost of affecting interoperability. See
     Configuring algorithms in SSH.
     (Closes: #1059002)
   * Fix CVE-2025-26618:
     Packet size is not verified properly for SFTP packets.
     As a result when multiple SSH packets (conforming to max
     SSH packet size) are received by ssh, they might be combined
     into an SFTP packet which will exceed the max allowed packet
     size and potentially cause large amount of memory
     to be allocated. Note that situation described above can
     only happen for successfully authenticated users after
     completing the SSH handshake.
   * Fix CVE-2025-30211:
     A maliciously formed KEX init message can result
     with high memory usage. Implementation does not verify
     RFC specified limits on algorithm names (64 characters)
     provided in KEX init message. Big KEX init packet may
     lead to inefficient processing of the error data.
     As a result, large amount of memory will be allocated for
     processing malicious data.
     (Closes: #1101713)
   * Fix CVE-2025-32433: Remote Code Execution
     A SSH server may allow an attacker to perform unauthenticated
     remote code execution (RCE). By exploiting a flaw in SSH protocol
     message handling, a malicious actor could gain unauthorized access
     to affected systems and execute arbitrary commands without valid
     credentials.
     (Closes: #1103442)
Checksums-Sha1:
 965dd3b2fccd3a2f756007e3d16b816edf13f5d5 5137 erlang_23.2.6+dfsg-1+deb11u2.dsc
 afa02feb6c29977e3b91f9ed7be287004b44235d 45298504 erlang_23.2.6+dfsg.orig.tar.xz
 84a0612febf3c37263dd24ffc496b81bb96a2450 83344 erlang_23.2.6+dfsg-1+deb11u2.debian.tar.xz
 55fef081ab04546ce267a495bf42cb9c64662629 30565 erlang_23.2.6+dfsg-1+deb11u2_amd64.buildinfo
Checksums-Sha256:
 77766b50e3a4c24b73982e6201a8838cfd3f7f1db94580f824734e56777a67ec 5137 erlang_23.2.6+dfsg-1+deb11u2.dsc
 e6e513922e26d08026b6b25906881b45fde33085b6dfc89f6cbbb315fd4fc51c 45298504 erlang_23.2.6+dfsg.orig.tar.xz
 6a42d8e1e7c951548554d46acf383f7a850cc287c0f82e3a2656e58718b6d0dc 83344 erlang_23.2.6+dfsg-1+deb11u2.debian.tar.xz
 0181e3d58cd817ef3349f5e61af43bf17f194aaae026a49b6e4d6d769056adb0 30565 erlang_23.2.6+dfsg-1+deb11u2_amd64.buildinfo
Files:
 112f3f01f57dd1bb5722d6d006a57a7a 5137 interpreters optional erlang_23.2.6+dfsg-1+deb11u2.dsc
 5124e4670d0e18686c38eb58df5f9166 45298504 interpreters optional erlang_23.2.6+dfsg.orig.tar.xz
 f080a20d5214c959ef079698bc87ea74 83344 interpreters optional erlang_23.2.6+dfsg-1+deb11u2.debian.tar.xz
 c1ea4de7c17dce783a908d50ca25d13a 30565 interpreters optional erlang_23.2.6+dfsg-1+deb11u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmgFadgACgkQADoaLapB
CF/6Og//QsTi/QdooAgTa1zAKrPhZwbDTo4lc1CAEm454NbzvPKRxvjr3/iMGNhF
A75T/NSsVyFn6fIFmq4aIasTciS9wPituf6MUdNWLxsAMi3ehUCdpmV8RI+XqkOA
PpqnJH7utVmA11ZJ2ookInBMHC1CcHtQfHtkvPRmYMcctsipNA4oNvK+WRnYOKFu
xh1/XGHWRiIsNLw9EmV/4iedLgyvHyLr+cdkAXWOT1zLdQJNJEs44NzZmU9q74VU
EfZliYjX6JlH0MV/wdlXmEA7OCA4DKgdYWthiOB/PNxzzPiaCzMJtUYUjC9kjl2J
6E6H81XWZsfq75vtCAhYUSdldnYtHtSXT177BSXQHVWwmmjDSM8h7OxyYOkXPkAW
vvhw95OiNb7IpuO6odyZDA/1OGkF7f1SZdLDenw2ashfyW4evSYeol2+SkmomMRs
Dmf8MFb//ViwDFj+vkrl9YDl5bj6Z/dXTLNsOtiZWGgNtO+ZmC1ifVP3tDQwA8T2
P95eNB+l6sz9vVrJchOOzPuocNMOtPJc6jkVyOc429I9ufes0Q7/KP0zyk6Dufd4
W0oxbJ6TzYH1+On62LvOMQcm1bJzCkvpDLt1nxpxr6xrp3z2/+iPVapYuLLbW751
0qeDKFZE9nehwwhvGHsoss9qmelgMr7olXqc9VTHfgiWk4zMxpM=
=mA3X
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-erlang-devel/attachments/20250420/25fff792/attachment.sig>

More information about the Pkg-erlang-devel mailing list