Your message dated Mon, 15 Sep 2025 16:21:25 +0000
with message-id <[email protected]>
and subject line Bug#1115091: fixed in erlang 1:27.3.4.3+dfsg-1
has caused the Debian Bug report #1115091,
regarding erlang: CVE-2025-48040
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1115091: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115091
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: erlang
Version: 1:27.3.4.1+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/erlang/otp/pull/10162
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for erlang.
CVE-2025-48040[0]:
| Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh
| (ssh_sftp modules) allows Excessive Allocation, Flooding. This
| vulnerability is associated with program files
| lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0
| until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh
| from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48040
https://www.cve.org/CVERecord?id=CVE-2025-48040
[1] https://github.com/erlang/otp/pull/10162
[2] https://github.com/erlang/otp/security/advisories/GHSA-h7rg-6rjg-4cph
[3]
https://github.com/erlang/otp/commit/7cd7abb7e19e16b027eaee6a54e1f6fbbe21181a
[4]
https://github.com/erlang/otp/commit/548f1295d86d0803da884db8685cc16d461d0d5a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: erlang
Source-Version: 1:27.3.4.3+dfsg-1
Done: Sergei Golovan <[email protected]>
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <[email protected]> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Sep 2025 18:42:37 +0300
Source: erlang
Architecture: source
Version: 1:27.3.4.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Erlang Packagers <[email protected]>
Changed-By: Sergei Golovan <[email protected]>
Closes: 1115086 1115090 1115091 1115092 1115093
Changes:
erlang (1:27.3.4.3+dfsg-1) unstable; urgency=medium
.
* New upstream release.
* Fix CVE-2025-48038: allocation of resources without limits or throttling
vulnerability in the ssh_sftp module allows excessive allocation,
resource leak exposure (closes: #1115093).
* Fix CVE-2025-48039: allocation of resources without limits or throttling
vulnerability in the ssh_sftp module allows excessive allocation,
resource leak exposure (closes: #1115092).
* Fix CVE-2025-48040: uncontrolled resource consumption vulnerability in
the ssh_sftp module allows excessive allocation, flooding (closes:
1115091).
* Fix CVE-2025-48041: allocation of resources without limits or throttling
vulnerability in the ssh_sftp module allows excessive allocation,
flooding (closes: #1115090).
* Fix CVE-2016-1000107: inets does not protect applications from the presence
of untrusted client data in the HTTP_PROXY environment variable
(closes: #1115086).
Checksums-Sha1:
223dc45b2cf2b0f234fbd7861c293b66a7a48ef1 4910 erlang_27.3.4.3+dfsg-1.dsc
5f5799894c7039ab0dd2c6d1d158e35b9624fbd1 47608284
erlang_27.3.4.3+dfsg.orig.tar.xz
89131fbd1e3a7de9726346897857aadfaae65240 57748
erlang_27.3.4.3+dfsg-1.debian.tar.xz
40f0fa957240467eabb85396467f218faa2285ed 30796
erlang_27.3.4.3+dfsg-1_amd64.buildinfo
Checksums-Sha256:
49e8b3e0c8a647a9bff8e1609bd9fca5c29c9adb178eb875c057084769216cda 4910
erlang_27.3.4.3+dfsg-1.dsc
1ca65f18f835725aa47d7185dc39c9262320c5891dafcbe788c2f1fd940783ed 47608284
erlang_27.3.4.3+dfsg.orig.tar.xz
de530bcd8b7ff889b7ff8f7e449a4645572c510ff207279fa392004897624a33 57748
erlang_27.3.4.3+dfsg-1.debian.tar.xz
c8035a7f5a4e853df15160bc97de9701551a6ddb42b231effa570ea29c9062a8 30796
erlang_27.3.4.3+dfsg-1_amd64.buildinfo
Files:
f84eb5a370f76efbf3d40c27cf0e935b 4910 interpreters optional
erlang_27.3.4.3+dfsg-1.dsc
9829ed4db8d913b3b6757d22c554b871 47608284 interpreters optional
erlang_27.3.4.3+dfsg.orig.tar.xz
ddbe586df20e9a8ccbd96ec5175d20b8 57748 interpreters optional
erlang_27.3.4.3+dfsg-1.debian.tar.xz
56c4109eafeca416d1a3f8dd3c29b485 30796 interpreters optional
erlang_27.3.4.3+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmjIN1kACgkQTyrk60tj
54dgVA/+OSDSTPzbWfRTJnDh3IAcza6eo1HZhkWrwtE68u7cZNM24wFXfqjgehfu
DDVmcrI1rHjCSpdIgh+uLDDHDC2PFSZDCxlFWcQaIf3CHbYl+nIWOj307yAhl/7s
POoRGsIwPWbfzpWYGSLAosqMfV1hD/xkA+KbmL1QX5r2s/tponNq35ymZJyTC70U
N7yhfYxb2Xc4vtep4mFqfVnAgTyTOXBWmWx9V5cvIDIFzay3/qo9vzDPtxZYGTWd
QIHu8HCGDzvVUy4xicWeHTSkQFyTE6B43xG7NalKxUrhdv6QwSSHtZMV8YVNHk73
q4SFm2hAshEn1AqaVR44yLEk6QZ8HS2y9PVAO/T6Uhp5giAmmOk0TllimQPFwd1E
kLQOF/YruYVauZz+KLbalI6JvzOYjbfPkYUDb9WG3+QDG5H7kH+4pTav5kECtY2R
gxfSH2kFD+rWw+lzw5Vzqqn9CKSnPSljGPK+/y9Ey0VlKo1VZ9wEwkOMWN9EIrdG
v/HY/d00exnZezXnubdw6gDCKKBjYFw/6sz0Fi4KJWq81Dymm5I1wJdVXpYEQrIh
AGNTpTu/taHmQZPNa8cifyAL5N7N+WyQ+PC68Hvbeh1PVfrwhdfrZOR5apeTdANF
gr1FHzwXAC32e5HnVFiikSWgUKAkdwv2t1pucNI/VlwkmUYGSY4=
=OJ0A
-----END PGP SIGNATURE-----
pgp2GP1GzXF0m.pgp
Description: PGP signature
--- End Message ---
