Debian Package Tracker
Register | Log in
Subscribe

erlang-cowlib

Erlang library for manipulating web protocols

Choose email to subscribe with

general
  • source: erlang-cowlib (main)
  • version: 2.17.1-2
  • maintainer: Debian Erlang Packagers (archive) (DMD)
  • uploaders: Sergei Golovan [DMD]
  • arch: all any
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 1.3.0-3
  • oldstable: 1.3.0-3
  • stable: 1.3.0-3
  • testing: 2.17.1-1
  • unstable: 2.17.1-2
versioned links
  • 1.3.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.17.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.17.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • erlang-cowlib
  • erlang-cowlib-doc
action needed
A new upstream version is available: 2.18.0 high
A new upstream version 2.18.0 is available, you should consider packaging it.
Created: 2026-07-04 Last update: 2026-07-04 15:00
2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:
  • CVE-2026-7790: (needs triaging) Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.
  • CVE-2026-43970: (needs triaging) Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-12 Last update: 2026-07-04 00:30
2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:
  • CVE-2026-7790: (needs triaging) Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.
  • CVE-2026-43970: (needs triaging) Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-12 Last update: 2026-07-04 00:30
testing migrations
  • excuses:
    • Migration status for erlang-cowlib (2.17.1-1 to 2.17.1-2): BLOCKED: Maybe temporary, maybe blocked but Britney is missing information (check below)
    • Issues preventing migration:
    • ∙ ∙ Missing build on riscv64
    • ∙ ∙ Autopkgtest deferred on riscv64: missing arch:riscv64 build
    • ∙ ∙ Lintian check waiting for test results on riscv64 - info
    • ∙ ∙ Too young, only 0 of 5 days old
    • Additional info (not blocking):
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/e/erlang-cowlib.html
    • ∙ ∙ Reproduced on amd64 - info
    • ∙ ∙ Reproduced on arm64 - info
    • ∙ ∙ Reproduced on armhf - info
    • ∙ ∙ Reproduced on i386 - info
    • Not considered
news
[rss feed]
  • [2026-07-03] Accepted erlang-cowlib 2.17.1-2 (source all amd64) into unstable (Debian FTP Masters) (signed by: Sergei Golovan)
  • [2026-06-24] erlang-cowlib 2.17.1-1 MIGRATED to testing (Debian testing watch)
  • [2026-06-19] Accepted erlang-cowlib 2.17.1-1 (source) into unstable (Sergei Golovan)
  • [2024-08-19] erlang-cowlib 1.3.0-3 MIGRATED to testing (Debian testing watch)
  • [2024-07-19] erlang-cowlib REMOVED from testing (Debian testing watch)
  • [2018-06-05] erlang-cowlib 1.3.0-3 MIGRATED to testing (Debian testing watch)
  • [2018-05-30] Accepted erlang-cowlib 1.3.0-3 (source amd64) into unstable (Nobuhiro Iwamatsu)
  • [2017-01-10] erlang-cowlib 1.3.0-2 MIGRATED to testing (Debian testing watch)
  • [2016-12-30] Accepted erlang-cowlib 1.3.0-2 (source) into unstable (Balint Reczey)
  • [2015-05-05] erlang-cowlib 1.3.0-1 MIGRATED to testing (Britney)
  • [2015-04-29] Accepted erlang-cowlib 1.3.0-1 (source amd64) into unstable (Balint Reczey)
  • [2014-10-25] erlang-cowlib 1.0.0-1 MIGRATED to testing (Britney)
  • [2014-10-14] Accepted erlang-cowlib 1.0.0-1 (source amd64) into unstable (Balint Reczey)
  • [2014-08-13] erlang-cowlib 0.6.2-2 MIGRATED to testing (Britney)
  • [2014-08-07] Accepted erlang-cowlib 0.6.2-2 (source amd64) into unstable (Balint Reczey)
  • [2014-08-06] erlang-cowlib 0.6.2-1 MIGRATED to testing (Britney)
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1.3.0-3build1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing