erlang-cowlib - Debian Package Tracker

general

source: erlang-cowlib (main)
version: 1.3.0-3
maintainer: Debian Erlang Packagers (archive) (DMD)
uploaders: Balint Reczey [DMD]
arch: any
std-ver: 4.1.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.3.0-3
oldstable: 1.3.0-3
stable: 1.3.0-3
testing: 1.3.0-3
unstable: 1.3.0-3

versioned links

1.3.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

erlang-cowlib (1 bugs: 0, 0, 1, 0)

action needed

Marked for autoremoval on 16 June due to erlang: #1135630, #1135919 high

Version 1.3.0-3 of erlang-cowlib is marked for autoremoval from testing on Tue 16 Jun 2026. It depends (transitively) on erlang, affected by #1135630, #1135919. You should try to prevent the removal by fixing these RC bugs.

Created: 2026-05-10 Last update: 2026-05-21 20:31

A new upstream version is available: 2.16.1 high

A new upstream version 2.16.1 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2026-05-21 18:01

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2026-7790: Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.
CVE-2026-43970: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.