[Pkg-erlang-devel] Bug#1101713: Bug#1101713: erlang: CVE-2025-30211
Sergei Golovan
sgolovan at gmail.com
Mon Mar 31 10:12:31 BST 2025
Control: tag 1101713 + pending
Hi Salvatore,
On Sun, Mar 30, 2025 at 10:51 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
>
> Hi,
>
> The following vulnerability was published for erlang.
>
> CVE-2025-30211[0]:
> | Erlang/OTP is a set of libraries for the Erlang programming
> | language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a
> | maliciously formed KEX init message can result with high memory
> | usage. Implementation does not verify RFC specified limits on
> | algorithm names (64 characters) provided in KEX init message. Big
> | KEX init packet may lead to inefficient processing of the error
> | data. As a result, large amount of memory will be allocated for
> | processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and
> | OTP-25.3.2.19 fix the issue. Some workarounds are available. One may
> | set option `parallel_login` to `false` and/or reduce the
> | `max_sessions` option.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I'll upload 27.3.1 in a few days. Does it make sense to backport the fix
from 25.3.2.19 to erlang in stable?
Cheers!
--
Sergei Golovan
More information about the Pkg-erlang-devel
mailing list