Your message dated Fri, 09 May 2025 10:20:42 +0000
with message-id <[email protected]>
and subject line Bug#1104963: fixed in erlang 1:27.3.4+dfsg-1
has caused the Debian Bug report #1104963,
regarding erlang: CVE-2025-46712
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1104963: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104963
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: erlang
Version: 1:27.3.3+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for elarng.
CVE-2025-46712[0]:
| Erlang/OTP is a set of libraries for the Erlang programming
| language. In versions prior to OTP-27.3.4 (for OTP-27),
| OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25),
| Erlang/OTP SSH fails to enforce strict KEX handshake hardening
| measures by allowing optional messages to be exchanged. This allows
| a Man-in-the-Middle attacker to inject these messages in a
| connection during the handshake. This issue has been patched in
| versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and
| OTP-25.3.2.21 (for OTP-25).
This does not warrrant a DSA, fwiw, might be fixed in one of the next
point releases ideally, but as well ideally already in trixie before
the release.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-46712
https://www.cve.org/CVERecord?id=CVE-2025-46712
[1] https://github.com/erlang/otp/security/advisories/GHSA-934x-xq38-hhqf
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: erlang
Source-Version: 1:27.3.4+dfsg-1
Done: Sergei Golovan <[email protected]>
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <[email protected]> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 09 May 2025 09:04:59 +0300
Source: erlang
Architecture: source
Version: 1:27.3.4+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Erlang Packagers <[email protected]>
Changed-By: Sergei Golovan <[email protected]>
Closes: 1104963
Changes:
erlang (1:27.3.4+dfsg-1) unstable; urgency=medium
.
* New upstream release.
* Fix CVE-2025-46712 in erlang-ssh application, where a man-in-the-middle
could use optional KEX messages to impact the KEX process (closes:
#1104963).
Checksums-Sha1:
c00541aee24563fd491d5e9f5c041a5a898acd74 4896 erlang_27.3.4+dfsg-1.dsc
4cd229097b3ae9639b94f827223a7867e043cb9d 47594396
erlang_27.3.4+dfsg.orig.tar.xz
24c02c65e0ce5680cd6670717f133a311bc03e3a 57492
erlang_27.3.4+dfsg-1.debian.tar.xz
ca791301692ed6223123cb8c3b107d5caf62a1db 30480
erlang_27.3.4+dfsg-1_amd64.buildinfo
Checksums-Sha256:
b39612e389ab23995c992be850a0094fdfedc25f9948f8f075d132f14ccdb40a 4896
erlang_27.3.4+dfsg-1.dsc
2d8a035faee5341ea48713734e2312fa185f8d63dd6c9fbf56ff4b44865d3794 47594396
erlang_27.3.4+dfsg.orig.tar.xz
6e8c045313dff36f57794dc4b66729850ef81c1a25dc2f1717cfd6bc17665123 57492
erlang_27.3.4+dfsg-1.debian.tar.xz
381de958882c3419f3e78b85a54dad5f7858d26ac70e89aca84ff2fc978eb861 30480
erlang_27.3.4+dfsg-1_amd64.buildinfo
Files:
b70d59778425c85ee21f4b27950609d6 4896 interpreters optional
erlang_27.3.4+dfsg-1.dsc
03fc6f4247b8559d2c08ac09343a3471 47594396 interpreters optional
erlang_27.3.4+dfsg.orig.tar.xz
26db21b147c5a5519a3bd826c093781f 57492 interpreters optional
erlang_27.3.4+dfsg-1.debian.tar.xz
902a62ccadc0a0924daf7d6c9b15b1b3 30480 interpreters optional
erlang_27.3.4+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmgd0k0ACgkQTyrk60tj
54d8zhAAqvgdBxF5Hl3IIhUF+Q9KEeogD71Gi6EezkNGaQS+NpxUuLlN2KU7bdVN
hfNdb0iWzMpBaKj6z94E3MjsVuM+yg1R9BeHsM/gugImYMBvD4fgigi1M/KMx5eE
nx0ynQV4nGAzeP2rkA2uBS8tvlkfGtsOifSlMdm++z7+ayP4K+HkrqwJmOPlc2ea
Qd0nRvBasZTdiswGciTK8CPjJKHx9jxV3EjptDCiqNk/JLWfHT6LJEo0NEq4l/Cj
6PTQT651wXDcUqdv8Wqfpynnf9RSYUIbFeqeJAQnoHaDDL6R0QaMQ5WC8i5TDhaT
NLgH4tmYc+e2pMpYR+BlUkcAlorICp92+KPguW7UFq7sgtmIm2H6u0xwfWxHvxi+
Wh0pUC6j7ayuiQQJPvgvqjCiVuB+AZ/kmbgL6slk4k6N+Gy0SiJfSEruxD3HXWgl
wWhTj7HEb3qZfMuLGmJMJ/8I+ctMq1GTAFbkd6Z3Si1/hbvkvmskS0U1fRKPj9mf
Mc6q67DpGILeArzVtDEVmCUHL64p3/QZTF6deAJwLqHSgHA/IfJraOpKhbit6D4K
8MlBBj2Eeonlq5nlve8GXQWq0R700DMi82lm9qMKbZiQ4kyaFxbXiN2lymTu6isa
T1DzR2RoH1xlzRivdY2zz17cBEmSYqToVMocGthpZzJkebdvbe8=
=S4u+
-----END PGP SIGNATURE-----
pgpnY4lqO_UKS.pgp
Description: PGP signature
--- End Message ---
