Hi Salvatore, On Sat, Sep 13, 2025 at 1:39 PM Salvatore Bonaccorso <[email protected]> wrote: > > Hi, > > The following vulnerability was published for erlang. > > CVE-2025-48038[0]: > | Allocation of Resources Without Limits or Throttling vulnerability > | in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, > | Resource Leak Exposure. This vulnerability is associated with > | program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP > | form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 > | corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
I have uploaded the latest upstream versions with fixes to all five reported CVEs to unstable and experimental. Now I'd like to backport the fixes to trixie and bookworm as well. Do you think the CVEs are serious enough to warrant DSA? Or I'll just upload them to the proposed-updates suits (with suitable bugreports to the release.debian.org pseudopackage)? Cheers! -- Sergei Golovan
