Hi Sergei, On Tue, Dec 19, 2023 at 12:12:27PM +0300, Sergei Golovan wrote: > Hi Salvatore, > > On Tue, Dec 19, 2023 at 11:24 AM Salvatore Bonaccorso <[email protected]> > wrote: > > > > Source: erlang > > Version: 1:25.2.3+dfsg-1 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > > Hi, > > > > The following vulnerability was published for erlang. > > > > CVE-2023-48795[0]: > > Reading the latest announcement on the Erlang mailing list I've found > that there is an update of ssh in Erlang 25 which addresses > CVE-2023-48795: > https://erlang.org/pipermail/erlang-announce/2023-December/000260.html > > I will try to backport these changes to Erlang currently in stable if > it's necessary. As for the unstable, the newest version will fix this > as well.
Thanks for working on it. I would say, let's start top-down so go first trough unstable upload, then we can assess the state for it for the security supported suites (and if it needs a DSA or can go trough a point release). There might be e.g. mitigating factor if ChaCha20-Poly1305 and Encrypt-then-MAC support is missing. Regards, Salvatore

