[Pkg-erlang-devel] Bug#1115093: Bug#1115093: erlang: CVE-2025-48038
Salvatore Bonaccorso
carnil at debian.org
Tue Sep 16 09:08:59 BST 2025
Hi Sergei,
On Tue, Sep 16, 2025 at 10:17:59AM +0300, Sergei Golovan wrote:
> Hi Salvatore,
>
> On Sat, Sep 13, 2025 at 1:39 PM Salvatore Bonaccorso <carnil at debian.org> wrote:
> >
> > Hi,
> >
> > The following vulnerability was published for erlang.
> >
> > CVE-2025-48038[0]:
> > | Allocation of Resources Without Limits or Throttling vulnerability
> > | in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
> > | Resource Leak Exposure. This vulnerability is associated with
> > | program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP
> > | form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15
> > | corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
>
> I have uploaded the latest upstream versions with fixes to all five
> reported CVEs
> to unstable and experimental.
>
> Now I'd like to backport the fixes to trixie and bookworm as well. Do
> you think the CVEs
> are serious enough to warrant DSA? Or I'll just upload them to the
> proposed-updates suits
> (with suitable bugreports to the release.debian.org pseudopackage)?
Thanks for reaching out and having fixed the issues already in
unstable and experimental!
We think a point release update should be enough for those issues, can
you contact the SRM accordingly?
Thanks a lot as well for taking care of fixing the issues in trixie
and bookworm.
Regards,
Salvatore
More information about the Pkg-erlang-devel
mailing list