Source: erlang
Version: 1:27.3.4.8+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for erlang.
CVE-2026-23941[0]:
| Inconsistent Interpretation of HTTP Requests ('HTTP Request
| Smuggling') vulnerability in Erlang OTP (inets httpd module) allows
| HTTP Request Smuggling. This vulnerability is associated with
| program files lib/inets/src/http_server/httpd_request.erl and
| program routines httpd_request:parse_headers/7. The server does not
| reject or normalize duplicate Content-Length headers. The earliest
| Content-Length in the request is used for body parsing while common
| reverse proxies (nginx, Apache httpd, Envoy) honor the last Content-
| Length value. This violates RFC 9112 Section 6.3 and allows front-
| end/back-end desynchronization, leaving attacker-controlled bytes
| queued as the start of the next request. This issue affects OTP
| from OTP 17.0 until OTP 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18,
| corresponding to inets from 5.10 until 9.6.1, 9.3.2.3 and 9.1.0.5.
CVE-2026-23942[1]:
| Improper Limitation of a Pathname to a Restricted Directory ('Path
| Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows
| Path Traversal. This vulnerability is associated with program files
| lib/ssh/src/ssh_sftpd.erl and program routines
| ssh_sftpd:is_within_root/2. The SFTP server uses string prefix
| matching via lists:prefix/2 rather than proper path component
| validation when checking if a path is within the configured root
| directory. This allows authenticated users to access sibling
| directories that share a common name prefix with the configured root
| directory. For example, if root is set to /home/user1, paths like
| /home/user10 or /home/user1_backup would incorrectly be considered
| within the root. This issue affects OTP from OTP 17.0 until OTP
| 28.4.1, OTP 27.3.4.9 and OTP 26.2.5.18, corresponding to ssh from
| 3.0.1 until 5.5.1, 5.2.11.6 and 5.1.4.14.
CVE-2026-23943[2]:
| Improper Handling of Highly Compressed Data (Compression Bomb)
| vulnerability in Erlang OTP ssh (ssh_transport modules) allows
| Denial of Service via Resource Depletion. The SSH transport layer
| advertises legacy zlib compression by default and inflates attacker-
| controlled payloads pre-authentication without any size limit,
| enabling reliable memory exhaustion DoS. Two compression algorithms
| are affected: * zlib: Activates immediately after key exchange,
| enabling unauthenticated attacks * [email protected]: Activates post-
| authentication, enabling authenticated attacks Each SSH packet can
| decompress ~255 MB from 256 KB of wire data (1029:1 amplification
| ratio). Multiple packets can rapidly exhaust available memory,
| causing OOM kills in memory-constrained environments. This
| vulnerability is associated with program files
| lib/ssh/src/ssh_transport.erl and program routines
| ssh_transport:decompress/2, ssh_transport:handle_packet_part/4.
| This issue affects OTP from OTP 17.0 until OTP 28.4.1, 27.3.4.9 and
| 26.2.5.18 corresponding to ssh from 3.0.1 until 5.5.1, 5.2.11.6 and
| 5.1.4.14.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-23941
https://www.cve.org/CVERecord?id=CVE-2026-23941
[1] https://security-tracker.debian.org/tracker/CVE-2026-23942
https://www.cve.org/CVERecord?id=CVE-2026-23942
[2] https://security-tracker.debian.org/tracker/CVE-2026-23943
https://www.cve.org/CVERecord?id=CVE-2026-23943
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
