Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted erlang 1:23.2.6+dfsg-1+deb11u2 (source) into oldstable-security
Date: Sun, 20 Apr 2025 22:30:22 +0000
Signed by: Bastien ROUCARIÈS <rouca@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 20 Apr 2025 11:42:54 +0200
Source: erlang
Architecture: source
Version: 1:23.2.6+dfsg-1+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1059002 1101713 1103442
Changes:
 erlang (1:23.2.6+dfsg-1+deb11u2) bullseye-security; urgency=medium
 .
   * Non Maintainer Upload by LTS Team
 .
   [Sergei Golovan]
   * Add a patch from upstream which fixes segfaults on heavy load because
     the process message queue can be left in an inconsistent state when
     changing from on_heap to off_heap message queue data.
 .
   [Bastien Roucariès]
   * Fix CVE-2023-48795 (Terrapin attack):
     The SSH transport protocol with certain OpenSSH extensions,
     allows remote attackers to bypass integrity checks such
     that some packets are omitted (from the extension
     negotiation message), and a client and server may
     consequently end up with a connection for which
     some security features have been downgraded.
     .
     ssh can negotiate "strict KEX" OpenSSH extension with
     peers supporting it; also
     'chacha20-poly1305@openssh.com' algorithm becomes a
     less preferred cipher.
     .
     If strict KEX availability cannot be ensured on both
     connection sides, affected encryption modes(CHACHA and
     CBC) can be disabled with standard ssh configuration.
     This will provide protection against vulnerability, but
     at a cost of affecting interoperability. See
     Configuring algorithms in SSH.
     (Closes: #1059002)
   * Fix CVE-2025-26618:
     Packet size is not verified properly for SFTP packets.
     As a result when multiple SSH packets (conforming to max
     SSH packet size) are received by ssh, they might be combined
     into an SFTP packet which will exceed the max allowed packet
     size and potentially cause large amount of memory
     to be allocated. Note that situation described above can
     only happen for successfully authenticated users after
     completing the SSH handshake.
   * Fix CVE-2025-30211:
     A maliciously formed KEX init message can result
     with high memory usage. Implementation does not verify
     RFC specified limits on algorithm names (64 characters)
     provided in KEX init message. Big KEX init packet may
     lead to inefficient processing of the error data.
     As a result, large amount of memory will be allocated for
     processing malicious data.
     (Closes: #1101713)
   * Fix CVE-2025-32433: Remote Code Execution
     A SSH server may allow an attacker to perform unauthenticated
     remote code execution (RCE). By exploiting a flaw in SSH protocol
     message handling, a malicious actor could gain unauthorized access
     to affected systems and execute arbitrary commands without valid
     credentials.
     (Closes: #1103442)
Checksums-Sha1:
 983feea0f46772fe886671ffef1bc86b83eafc8f 5137 erlang_23.2.6+dfsg-1+deb11u2.dsc
 afa02feb6c29977e3b91f9ed7be287004b44235d 45298504 erlang_23.2.6+dfsg.orig.tar.xz
 81bdde330bd5bedfbe8b91f8d66a710529714c5a 83384 erlang_23.2.6+dfsg-1+deb11u2.debian.tar.xz
 11f3a82aa5831f6a34691d9b081430efb6734d84 30565 erlang_23.2.6+dfsg-1+deb11u2_amd64.buildinfo
Checksums-Sha256:
 cad121c1344a8f61c65826ff0399d2903343005696c10497fb2261557fa8620e 5137 erlang_23.2.6+dfsg-1+deb11u2.dsc
 e6e513922e26d08026b6b25906881b45fde33085b6dfc89f6cbbb315fd4fc51c 45298504 erlang_23.2.6+dfsg.orig.tar.xz
 7ac986cbdf5c054fd8e5597d8d4ee75963988228af26fec2bb45d581df9f9a0c 83384 erlang_23.2.6+dfsg-1+deb11u2.debian.tar.xz
 af303cae57a95976d03b674eede98a1c2f4cac7b7248cf88b961cb98d47447ad 30565 erlang_23.2.6+dfsg-1+deb11u2_amd64.buildinfo
Files:
 b2f6778c7416e47ef95a988d619a1049 5137 interpreters optional erlang_23.2.6+dfsg-1+deb11u2.dsc
 5124e4670d0e18686c38eb58df5f9166 45298504 interpreters optional erlang_23.2.6+dfsg.orig.tar.xz
 2db1ab1c7bdca7fd575afa1487c58da3 83384 interpreters optional erlang_23.2.6+dfsg-1+deb11u2.debian.tar.xz
 f9db7790f7bb0ed983967202831b5e78 30565 interpreters optional erlang_23.2.6+dfsg-1+deb11u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmgFcRIACgkQADoaLapB
CF85vhAAsjbjZuIBXpokfwKIdJlI1hx5ppMa+ghPbIUCwxiKhxVAkCB1/OxZx2OQ
8xkIpbkSBnpfHvlqNjBwXGwxXdqnVIdKIfXqHLZm009d2I8nhXHmOt82L/xh0+2a
k8tuvn0de9y9eeeZ9kzJBxEyoqtY97U0urTJU6XtTZOFNTVdbED84S/ruKYk/apF
u12ZOvnTkhxPNTuWDPKhJdieYvS54iN6oldkPEQAgmiGSOD4J18Ja7pXOZr9+j9p
ngPWYlOB2pyF+5PAZK/G9mKdQtuQdlgBSkuUMa9SQJEzTzBiWKtYP7HkKdXHM0rl
d97nhwrHj6eid1n43i+gkG9CGJBfIyKm/zlYgp1ViOU6mEeuiLBy+xeaFt2LQtED
jfoPRJTCIzQxx1I7rojJyZesSw1MzL8gFLPXaok6rcBto0PP7u6iEpi7/4KoL7+t
egnsqf89BKG5t/7ZBPAwJiqRSSSqEokEI7MD5Qtw7ekH+cHSPUCV/qJ2khsrQauE
N0X25fMojE/0UDJ000XWgnqOPC7yyTHIJjlv/PPUkPZJkrLDBMpbrhQsJOOewwi0
+W14Kq0VVl3HL4d1uz8D9xkpuZLuVrBk7f9vc+UVMaSeP0ensmTqif3gy8FCxCse
Z2e4+JpS12ydhhWvfdu3RwHcRIHUumFV5cgcbKAb2k+dBweRgR8=
=fC3E
-----END PGP SIGNATURE-----
News for package erlang
