[Pkg-erlang-devel] Bug#1104963: erlang: CVE-2025-46712
Salvatore Bonaccorso
carnil at debian.org
Fri May 9 05:22:25 BST 2025
Source: erlang
Version: 1:27.3.3+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for elarng.
CVE-2025-46712[0]:
| Erlang/OTP is a set of libraries for the Erlang programming
| language. In versions prior to OTP-27.3.4 (for OTP-27),
| OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25),
| Erlang/OTP SSH fails to enforce strict KEX handshake hardening
| measures by allowing optional messages to be exchanged. This allows
| a Man-in-the-Middle attacker to inject these messages in a
| connection during the handshake. This issue has been patched in
| versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and
| OTP-25.3.2.21 (for OTP-25).
This does not warrrant a DSA, fwiw, might be fixed in one of the next
point releases ideally, but as well ideally already in trixie before
the release.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-46712
https://www.cve.org/CVERecord?id=CVE-2025-46712
[1] https://github.com/erlang/otp/security/advisories/GHSA-934x-xq38-hhqf
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-erlang-devel
mailing list