[Pkg-erlang-devel] Bug#1115093: Bug#1115093: erlang: CVE-2025-48038
Sergei Golovan
sgolovan at gmail.com
Tue Sep 16 08:17:59 BST 2025
Hi Salvatore,
On Sat, Sep 13, 2025 at 1:39 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
>
> Hi,
>
> The following vulnerability was published for erlang.
>
> CVE-2025-48038[0]:
> | Allocation of Resources Without Limits or Throttling vulnerability
> | in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
> | Resource Leak Exposure. This vulnerability is associated with
> | program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP
> | form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15
> | corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
I have uploaded the latest upstream versions with fixes to all five
reported CVEs
to unstable and experimental.
Now I'd like to backport the fixes to trixie and bookworm as well. Do
you think the CVEs
are serious enough to warrant DSA? Or I'll just upload them to the
proposed-updates suits
(with suitable bugreports to the release.debian.org pseudopackage)?
Cheers!
--
Sergei Golovan
More information about the Pkg-erlang-devel
mailing list