[Pkg-erlang-devel] Question regarding erlang Package 1:25.2.3+dfsg-1+deb12u1

Sergei Golovan sgolovan at gmail.com
Tue Jun 24 09:21:52 BST 2025 

Hi Tara,

On Tue, Jun 24, 2025 at 10:27 AM Dommershausen, Tara
<Tara.Dommershausen at controlware.de> wrote:
>
> I have a question regarding Erlang Debian Package Version 1:25.2.3+dfsg-1+deb12u1.
>
> We noticed a discrepancy with the package version number and the underlying Erlang/OTP Version and we wondered if this is by purpose or if there might by a mistake here.
>
> We came across this when using a vulnerability scanner for CVE-2025-32433. On the Debian page (https://security-tracker.debian.org/tracker/CVE-2025-32433 and https://tracker.debian.org/news/1640554/accepted-erlang-12523dfsg-1deb12u1-source-into-stable-security/) it says, that the Package Version 1:25.2.3+dfsg-1+deb12u1 patches the vulnerability but the underlying Erlang/OTP Version has the Version Number 25.3.2.20 . Because of this difference in the version numbers the vulnerability scanner is not able to detect that the patched version is installed because it compares the Debian package version to the original Erlang/OTP Version.

In Debian it's rarely happens that software updates in the stable
released branch even if there're new bugfix versions upstream. So if
some serious bug like CVE-2025-32433 arises, we cherry-pick the
relevant bugfixes and not take all the new upstream releases. The
Debian version  1:25.2.3+dfsg-1+deb12u1 means in this case that there
was one update of Erlang 25.2.3 in stable (Debian 12/bookworm, hence
the deb12u1 suffix). Unfortunately, this doesn't help to know which
vulnerabilities have been fixed in this update using only version
checks. The only reliable source of changes is the changelog, e.g.
https://metadata.ftp-master.debian.org/changelogs//main/e/erlang/erlang_25.2.3+dfsg-1+deb12u1_changelog

>
> Is this discrepancy in version number by purpose or is it maybe a mistake and will the versions be aligned in a new package soon?

Yes, it is on purpose. The package in Debian stable currently does not
match any upstream release. It is a patched 25.2.3 with several bugs
fixed.

>
> I hope I am reaching the responsible person for my question here, otherwise could you forward my question or give me a hint where I have to ask?

The email address redirects messages to the Erlang team, so it's fine
to ask here.

Cheers!
-- 
Sergei Golovan

More information about the Pkg-erlang-devel mailing list