erlang-cowlib - Debian Package Tracker

general

source: erlang-cowlib (main)
version: 2.17.1-1
maintainer: Debian Erlang Packagers (archive) (DMD)
uploaders: Sergei Golovan [DMD]
arch: any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.3.0-3
oldstable: 1.3.0-3
stable: 1.3.0-3
testing: 2.17.1-1
unstable: 2.17.1-1

versioned links

1.3.0-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.17.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

erlang-cowlib

action needed

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.17.1-2, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

Created: 2026-06-25 Last update: 2026-06-25 09:32

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2026-7790: (needs triaging) Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.
CVE-2026-43970: (needs triaging) Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-12 Last update: 2026-06-24 07:30

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2026-7790: (needs triaging) Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.
CVE-2026-43970: (needs triaging) Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cow_spdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY header compression dictionary (?ZDICT) is public, and zlib compresses long runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY frame payload can decompress to gigabytes on the BEAM heap, OOM-killing the node. A single unauthenticated SPDY frame is sufficient to trigger the condition. The parsers for syn_stream, syn_reply, and headers frame types are all affected via cow_spdy:parse_headers/2. This issue affects cowlib from 0.1.0 before 2.16.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-12 Last update: 2026-06-24 07:30

news

[rss feed]

[2026-06-24] erlang-cowlib 2.17.1-1 MIGRATED to testing (Debian testing watch)
[2026-06-19] Accepted erlang-cowlib 2.17.1-1 (source) into unstable (Sergei Golovan)
[2024-08-19] erlang-cowlib 1.3.0-3 MIGRATED to testing (Debian testing watch)
[2024-07-19] erlang-cowlib REMOVED from testing (Debian testing watch)
[2018-06-05] erlang-cowlib 1.3.0-3 MIGRATED to testing (Debian testing watch)
[2018-05-30] Accepted erlang-cowlib 1.3.0-3 (source amd64) into unstable (Nobuhiro Iwamatsu)
[2017-01-10] erlang-cowlib 1.3.0-2 MIGRATED to testing (Debian testing watch)
[2016-12-30] Accepted erlang-cowlib 1.3.0-2 (source) into unstable (Balint Reczey)
[2015-05-05] erlang-cowlib 1.3.0-1 MIGRATED to testing (Britney)
[2015-04-29] Accepted erlang-cowlib 1.3.0-1 (source amd64) into unstable (Balint Reczey)
[2014-10-25] erlang-cowlib 1.0.0-1 MIGRATED to testing (Britney)
[2014-10-14] Accepted erlang-cowlib 1.0.0-1 (source amd64) into unstable (Balint Reczey)
[2014-08-13] erlang-cowlib 0.6.2-2 MIGRATED to testing (Britney)
[2014-08-07] Accepted erlang-cowlib 0.6.2-2 (source amd64) into unstable (Balint Reczey)
[2014-08-06] erlang-cowlib 0.6.2-1 MIGRATED to testing (Britney)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.3.0-3build1