Hi Sergei, On Tue, Sep 16, 2025 at 10:17:59AM +0300, Sergei Golovan wrote: > Hi Salvatore, > > On Sat, Sep 13, 2025 at 1:39 PM Salvatore Bonaccorso <[email protected]> > wrote: > > > > Hi, > > > > The following vulnerability was published for erlang. > > > > CVE-2025-48038[0]: > > | Allocation of Resources Without Limits or Throttling vulnerability > > | in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, > > | Resource Leak Exposure. This vulnerability is associated with > > | program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP > > | form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 > > | corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. > > I have uploaded the latest upstream versions with fixes to all five > reported CVEs > to unstable and experimental. > > Now I'd like to backport the fixes to trixie and bookworm as well. Do > you think the CVEs > are serious enough to warrant DSA? Or I'll just upload them to the > proposed-updates suits > (with suitable bugreports to the release.debian.org pseudopackage)?
Thanks for reaching out and having fixed the issues already in unstable and experimental! We think a point release update should be enough for those issues, can you contact the SRM accordingly? Thanks a lot as well for taking care of fixing the issues in trixie and bookworm. Regards, Salvatore
