Your message dated Tue, 01 Apr 2025 06:05:52 +0000
with message-id <[email protected]>
and subject line Bug#1101713: fixed in erlang 1:27.3.1+dfsg-1
has caused the Debian Bug report #1101713,
regarding erlang: CVE-2025-30211
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1101713: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101713
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: erlang
Version: 1:27.3+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for erlang.

CVE-2025-30211[0]:
| Erlang/OTP is a set of libraries for the Erlang programming
| language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a
| maliciously formed KEX init message can result with high memory
| usage. Implementation does not verify RFC specified limits on
| algorithm names (64 characters) provided in KEX init message. Big
| KEX init packet may lead to inefficient processing of the error
| data. As a result, large amount of memory will be allocated for
| processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and
| OTP-25.3.2.19 fix the issue. Some workarounds are available. One may
| set option `parallel_login` to `false` and/or reduce the
| `max_sessions` option.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-30211
    https://www.cve.org/CVERecord?id=CVE-2025-30211
[1] https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: erlang
Source-Version: 1:27.3.1+dfsg-1
Done: Sergei Golovan <[email protected]>

We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sergei Golovan <[email protected]> (supplier of updated erlang package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 01 Apr 2025 08:28:34 +0300
Source: erlang
Architecture: source
Version: 1:27.3.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Erlang Packagers <[email protected]>
Changed-By: Sergei Golovan <[email protected]>
Closes: 1101713
Changes:
 erlang (1:27.3.1+dfsg-1) unstable; urgency=medium
 .
   * New upstream release.
   * Fix CVE-2025-30211 in erlang-ssh application, where a maliciously
     formed KEX init message could result with high memory usage (closes:
     #1101713).
Checksums-Sha1:
 86f5c2ece1c49b228c5ae7d104c613d20156d1fa 4896 erlang_27.3.1+dfsg-1.dsc
 4c7956859c758b3a70ebcc0bcb0fd61a4edb3d98 47402080 
erlang_27.3.1+dfsg.orig.tar.xz
 fe5ec0bb3265ab0cfb34f15f8a50bb0aee64abbd 57364 
erlang_27.3.1+dfsg-1.debian.tar.xz
 4d00928be2939af209d3f2c9bef3a3086e728513 30533 
erlang_27.3.1+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 06c038e6cb757bba1ebdf1bcb88ff4749107b101bc4c5831f5aa9f102aa5abd3 4896 
erlang_27.3.1+dfsg-1.dsc
 e65f7144f8a99f0ba6046f40162b3ba4b1e09cfca15bee591800bc37c45ffb53 47402080 
erlang_27.3.1+dfsg.orig.tar.xz
 a34adfb110ea8d3438de3be7812b2e1121dbec9714cb695597b453569d25f990 57364 
erlang_27.3.1+dfsg-1.debian.tar.xz
 ea7e68163a65087b65e12915bc2311f0972d0963638acae9aa2bccac708761a6 30533 
erlang_27.3.1+dfsg-1_amd64.buildinfo
Files:
 c274dc521af2877bd0f57329ea49e157 4896 interpreters optional 
erlang_27.3.1+dfsg-1.dsc
 33e95433498d6700a4f1fc50e20535d4 47402080 interpreters optional 
erlang_27.3.1+dfsg.orig.tar.xz
 bbf62ce704f52bfe751e90df086a06c9 57364 interpreters optional 
erlang_27.3.1+dfsg-1.debian.tar.xz
 8df4d2fa676896a8866026ace8af8043 30533 interpreters optional 
erlang_27.3.1+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmfrfXQACgkQTyrk60tj
54f9uA//XmTYvEZMOeWmj7seZLEwGf/b2F+NzMqmnidxylvO+I6migL59BEEW2Bw
6rP16Q9VzCIUO4KyWmFUFaG8CQIaWYwgV1bMnL4+73wN/5NuYnemMMwYU2nFJrm+
2AnVB5Ej+nq63IdSokm2TGvXunmwltKtN6fb7gAX5YHcKzFw4skigcYez/CQ09Fp
isMK8/6h3ZXvGArM+Nv+KG/LypqqacbAwyi/Ba0Xbk5ep6p04REslYgj5PiBM6X3
R0b4Z4FPMRj8/OCm5Ta1rmx7v0JRdrJTPwFUAl4OijLnA80O1C4e7+X7EVyVEZBB
/il8Iosp71SbOVqsTa0HL4UkMUMA4Hy7pftV9hXOy/Vs8tnLIeuGut5YwcI/isvG
6nkJw3oQvea66KTDZXrxY3WcfZoxP3gwmNnoBJH4f1tk7e9iWg3dODTJa6KO0pcQ
so96hWQoujNHfow63uuL2BKRIkr/wl3IIRnPJXPjVeeRW6fz2UsqkhA1ctG0sWCy
vG2sLxS7iMnp6qs51YsJr1HTYhLM6qxo9/RrsWNysTCv7IVytvP8pbqsjS3JiDfe
LsUrY0PujGukqf8YUIJrd0GLDK3lXxL+fTKPIz1LNNi/maYN8YMUVwj3YRVwlwkl
wJdfc0H5eP/dcYMUT+XKlygnLQ/P46cLKi5ygK+1ZBCwrvEDXm4=
=hu48
-----END PGP SIGNATURE-----

Attachment: pgpPazZnNkiXI.pgp
Description: PGP signature


--- End Message ---

Reply via email to