Your message dated Mon, 15 Sep 2025 16:54:35 +0000
with message-id <[email protected]>
and subject line Bug#1115091: fixed in erlang 1:28.0.4+dfsg-1
has caused the Debian Bug report #1115091,
regarding erlang: CVE-2025-48040
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1115091: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115091
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: erlang
Version: 1:27.3.4.1+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/erlang/otp/pull/10162
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for erlang.
CVE-2025-48040[0]:
| Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh
| (ssh_sftp modules) allows Excessive Allocation, Flooding. This
| vulnerability is associated with program files
| lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0
| until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh
| from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48040
https://www.cve.org/CVERecord?id=CVE-2025-48040
[1] https://github.com/erlang/otp/pull/10162
[2] https://github.com/erlang/otp/security/advisories/GHSA-h7rg-6rjg-4cph
[3]
https://github.com/erlang/otp/commit/7cd7abb7e19e16b027eaee6a54e1f6fbbe21181a
[4]
https://github.com/erlang/otp/commit/548f1295d86d0803da884db8685cc16d461d0d5a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: erlang
Source-Version: 1:28.0.4+dfsg-1
Done: Sergei Golovan <[email protected]>
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <[email protected]> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Sep 2025 18:58:44 +0300
Source: erlang
Architecture: source
Version: 1:28.0.4+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Erlang Packagers <[email protected]>
Changed-By: Sergei Golovan <[email protected]>
Closes: 1115086 1115090 1115091 1115092 1115093
Changes:
erlang (1:28.0.4+dfsg-1) experimental; urgency=medium
.
* New upstream release.
* Upload to experimental.
* Fix CVE-2025-48038: allocation of resources without limits or throttling
vulnerability in the ssh_sftp module allows excessive allocation,
resource leak exposure (closes: #1115093).
* Fix CVE-2025-48039: allocation of resources without limits or throttling
vulnerability in the ssh_sftp module allows excessive allocation,
resource leak exposure (closes: #1115092).
* Fix CVE-2025-48040: uncontrolled resource consumption vulnerability in
the ssh_sftp module allows excessive allocation, flooding (closes:
1115091).
* Fix CVE-2025-48041: allocation of resources without limits or throttling
vulnerability in the ssh_sftp module allows excessive allocation,
flooding (closes: #1115090).
* Fix CVE-2016-1000107: inets does not protect applications from the presence
of untrusted client data in the HTTP_PROXY environment variable
(closes: #1115086).
Checksums-Sha1:
bd26a832d54d0520fa18323cab2195e27cd12b15 4896 erlang_28.0.4+dfsg-1.dsc
906f6ac263d75798f246cc1c23123f95d23a4810 48579652
erlang_28.0.4+dfsg.orig.tar.xz
7676f869c10c1af6b7567cf28249f3abe2790923 57600
erlang_28.0.4+dfsg-1.debian.tar.xz
34a39f220c38ba33deccd0e43205548bb5fe66c2 30495
erlang_28.0.4+dfsg-1_amd64.buildinfo
Checksums-Sha256:
b605388885d8650d1cff2bbfa86905a6f4611bea5f3ab9e23691318892ad402d 4896
erlang_28.0.4+dfsg-1.dsc
9741592f2178d4be58120e9399bd4b975045f22d629fe85dd41aca7a84ce8549 48579652
erlang_28.0.4+dfsg.orig.tar.xz
dab0bc32e92da00b6ef8328902f8537eba5fefdc495d48912736c1e4dd003dd5 57600
erlang_28.0.4+dfsg-1.debian.tar.xz
3316af70a4000163983ec5298bff54600007591ba2a8a2c1f6c2c6eee87dbdeb 30495
erlang_28.0.4+dfsg-1_amd64.buildinfo
Files:
0000e34fb0bf75f16850c8cb8fed5ec1 4896 interpreters optional
erlang_28.0.4+dfsg-1.dsc
cbf6cf338b93019ff104b0c5b1b53e45 48579652 interpreters optional
erlang_28.0.4+dfsg.orig.tar.xz
599c6f6cc48e493f2a7c84610e2a739d 57600 interpreters optional
erlang_28.0.4+dfsg-1.debian.tar.xz
feddf8802014f80d87782b8b54789609 30495 interpreters optional
erlang_28.0.4+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmjIPp0ACgkQTyrk60tj
54dj/A/9GGZWkpdVvgjxqMW9obcOXPb1DloteWNgI7apzBe8ndqhDcakAP4ZN80O
fxHnokaFu9Cco5sR+JiCklop/yBo0NRhbT0hWBccju+upkFYN9dYx9i1AyEw6fjU
H6ZZocdp6Z85aBnMVarKefLm3ueNsWwcCu9lwjD5VcZVM2MjhQ9+wWYjTWTS/zEt
y3c+EeJoEjA/MDtHGHfLeikk7IGPs6Wn3pnd+rjXU3O61/H8yxr3+XwQKLBdQeVh
QDsgVg5Sx1MekuBu4VlT64W7fWWwfFvuMKV7vJ+jMrNTS/y9kEi1LipJ2icRoKjY
Vx8jA82ofo4ix/I5Vj/nowNWVsHTOVyoCNrgQsRPyHLrhVd8fLSRG+wjkkvKL7nJ
KJZBJhMJs/DrUvemRVESITMntHZJNIBhqZnh8KM8byMkGZKvpUsXBw88o+wM3Ro4
knZuG9FFkn0eIpc547RUSbvf9Vj+nmJ3LPJzZfwx0MANWQsIT4y9nvqUOVfFRWmv
si1yFG+wMGkeaEPGASqe8HDQcI7sxkTmzNvnfnVgcNi59giyhDpc+BExkXYwEUB0
KwG5AapBp93RYOC9URYtn/RGZekE80/rqnjbGd//O8wzdFzqWixnrt6KlM6pLhlO
uttO4Eb1rWuGhumy530KIpzl9KvQbKXL667G9e0Ehns/ZeRlP5A=
=xxVm
-----END PGP SIGNATURE-----
pgp8inKUEyits.pgp
Description: PGP signature
--- End Message ---
