Your message dated Tue, 10 Mar 2026 08:35:39 +0000
with message-id <[email protected]>
and subject line Bug#1128651: fixed in erlang 1:27.3.4.8+dfsg-1
has caused the Debian Bug report #1128651,
regarding erlang: CVE-2026-21620
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128651: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128651
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: erlang
Version: 1:27.3.4.6+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/erlang/otp/pull/10706
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1:27.3.4.1+dfsg-1
Control: found -1 1:25.2.3+dfsg-1
Control: found -1 1:25.2.3+dfsg-1+deb12u1
Control: found -1 1:25.2.3+dfsg-1+deb12u3
Hi,
The following vulnerability was published for erlang.
CVE-2026-21620[0]:
| Relative Path Traversal, Improper Isolation or Compartmentalization
| vulnerability in erlang otp erlang/otp (tftp_file modules), erlang
| otp inets (tftp_file modules), erlang otp tftp (tftp_file modules)
| allows Relative Path Traversal. This vulnerability is associated
| with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl.
| This issue affects otp: from 17.0, from
| 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0;
| otp: from 1.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21620
https://www.cve.org/CVERecord?id=CVE-2026-21620
[1] https://github.com/erlang/otp/security/advisories/GHSA-hmrc-prh3-rpvp
[2] https://github.com/erlang/otp/pull/10706
[3]
https://github.com/erlang/otp/commit/3970738f687325138eb75f798054fa8960ac354e
[4]
https://github.com/erlang/otp/commit/655fb95725ba2fb811740b57e106873833824344
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: erlang
Source-Version: 1:27.3.4.8+dfsg-1
Done: Sergei Golovan <[email protected]>
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <[email protected]> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 10 Mar 2026 10:07:09 +0300
Source: erlang
Architecture: source
Version: 1:27.3.4.8+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Erlang Packagers <[email protected]>
Changed-By: Sergei Golovan <[email protected]>
Closes: 1128651
Changes:
erlang (1:27.3.4.8+dfsg-1) unstable; urgency=medium
.
* New upstream release.
* Fix CVE-2026-21620: a bug which allows TFTP to specify a file to download
outside the TFTP root directory (closes: #1128651).
Checksums-Sha1:
2e450bdce2c6a5957b8554dd216bd5dd4cdc9bc3 4910 erlang_27.3.4.8+dfsg-1.dsc
e3c4b759d5a52d47d11636133da4c770f1b52b20 47615816
erlang_27.3.4.8+dfsg.orig.tar.xz
1540e69a71c42026cf3ca16d9e5069adad6971f9 57936
erlang_27.3.4.8+dfsg-1.debian.tar.xz
c896119121b541d66312c5f08a0b470decb8f4e5 31187
erlang_27.3.4.8+dfsg-1_amd64.buildinfo
Checksums-Sha256:
eb6f3ff080379d2580f050e197917c938dd51f6c1bc0845238f9bfc8dee7e054 4910
erlang_27.3.4.8+dfsg-1.dsc
1712c29280d1916e68bee181af95064565c4b90333ea00b82d6c2de318a14e58 47615816
erlang_27.3.4.8+dfsg.orig.tar.xz
da5feee2a0b853e195b6f3d706310649126740a823f6326c5d9be87a5ec70619 57936
erlang_27.3.4.8+dfsg-1.debian.tar.xz
f6827c9bcde889642eaafb4e6502f9917e6edecc3ba4c31c83ce2bc98c35a3ac 31187
erlang_27.3.4.8+dfsg-1_amd64.buildinfo
Files:
653b5b59df48d70f548b2ebd23625d1d 4910 interpreters optional
erlang_27.3.4.8+dfsg-1.dsc
e749aaf5b6eb6fabfa30dd122cb90692 47615816 interpreters optional
erlang_27.3.4.8+dfsg.orig.tar.xz
9a29e54a524cc727fc65a3ef65933d68 57936 interpreters optional
erlang_27.3.4.8+dfsg-1.debian.tar.xz
681ebedfd68c7479cf8fabfb933f62d4 31187 interpreters optional
erlang_27.3.4.8+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmmvyxEACgkQTyrk60tj
54coHQ//VEJuUro9Rj4VW5DQIqbsM6QOYnmhWH5VIeAS1VNJR5yHs76ksILEk/wp
Zkq/57c7iV3sPle8+w9QyEl0J1y6MJoyK4uKxswpRl7IrjzIw+j+x8bBWXtuV66U
LKfEj2qtS1KCjn3EfMxK6r5I8mbNJHJbw7cnbrw519XrkyL661SRrobOu9NELawi
rnV0eJ31QOOw+EXk8k4Ap+G1smXrPLbpOMPD7yZsqe74uUZLijdZi6uB3P4UxnHK
wxJ2FlzHl33OPDXC9eeMf3O4zRev9r4RmrTxqx2j3H1QhP5HXEDOJG3Im9wu7usq
1dgqWwJsVatPn+q7v07EJn3IaflbBtPbG7pLj7N6709nnYvpXcxiNV1rq3Xpr14i
Yklt9fD/M3T9miqrDM98xXKJ/Kl8dXmKXGHbE8c06YEf5mFV79LBLU/ZQh2N3bK2
U9TRZ5b6gImChWgapv5zoMNSQ46X5qe9l4aZSEfEEZRjXMUioz2oBfNDishQ6I8f
K5mfaF0CJx/yvNAKNXmgJYhdcOnpB4PRsKi5L9W+Y8YqMvJlX4TRfV82eOyz40Jb
hOkdhUAb11PjUg9bIg07cQloLWCY9nsaG0m3IIfgXF5+sQxM4+a90bOjq7yULI6D
Hgw5aFuGW5tMSoYc5slZICRxIUo5KKH0yXwDq07iHcerXXizzDM=
=+qvP
-----END PGP SIGNATURE-----
pgp6BbRtmWqEo.pgp
Description: PGP signature
--- End Message ---
