Your message dated Fri, 12 Jun 2026 18:19:43 +0000
with message-id <[email protected]>
and subject line Bug#1139727: fixed in erlang 1:29.0.2+dfsg-1
has caused the Debian Bug report #1139727,
regarding erlang: CVE-2026-48855 CVE-2026-48856 CVE-2026-48858 CVE-2026-48860
CVE-2026-49759 CVE-2026-49760
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139727: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139727
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: erlang
Version: 1:27.3.4.12+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for erlang.
CVE-2026-48855[0]:
| Exposure of Sensitive Information to an Unauthorized Actor
| vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File
| Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the raw
| result of file:read_link/2 to the client without calling
| chroot_filename/2 to strip the backend root prefix. An authenticated
| SFTP client can create a symlink inside the chroot pointing to /;
| ssh_sftpd resolves the target to the absolute backend root and
| stores it on disk. Reading the symlink back via SSH_FXP_READLINK
| returns that absolute path, for example /data/sftp, instead of the
| chrooted value /. The information disclosed is the absolute
| filesystem path of the SFTP root directory and of any symlink
| targets within it. No file contents, credentials, or access to paths
| outside the root directory are obtainable through this issue alone.
| This vulnerability is associated with program files
| lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0
| before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from
| 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8.
CVE-2026-48856[1]:
| Sensitive Data Exposure vulnerability in Erlang OTP inets
| (httpc_response module) allows Retrieve Embedded Sensitive Data.
| The httpc client forwards the Authorization and Proxy-Authorization
| request headers to redirect targets without checking whether the
| redirect crosses an origin boundary. httpc_response:redirect/2
| constructs the redirected request by updating only the host field of
| the header record; all other fields (including authorization and
| proxy_authorization) are copied verbatim. The redirect target host
| is never compared against the original host. autoredirect defaults
| to true, so this affects all httpc callers that do not explicitly
| disable automatic redirects. An attacker who controls a server that
| the victim contacts via httpc can issue a cross-origin 3xx redirect
| to a server they also control. The Authorization header (including
| Basic credentials derived from URL userinfo via
| httpc_request:handle_user_info/2) is forwarded to the redirect
| target, allowing credential theft. The same applies to the Proxy-
| Authorization header. This vulnerability is associated with program
| files lib/inets/src/http_client/httpc_response.erl. This issue
| affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13
| corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
CVE-2026-48858[2]:
| Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp
| (ftp_internal module) allows FTP bounce attacks and SSRF via an
| unvalidated PASV response IP address. The
| ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive,
| ipfamily=inet, ftp_extension=false) extracts the IP address from the
| server's 227 response and passes it directly to gen_tcp:connect/4
| without validating it against the control connection peer address.
| The adjacent EPSV handlers correctly call peername(CSock) to derive
| the IP from the control connection, but the PASV handler does not. A
| malicious or compromised FTP server can redirect the client's data
| connection to an arbitrary internal host and port. On read
| operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the
| redirected target is returned to the caller. On write operations
| (ftp:send/2,3, ftp:append/2,3), file content is sent to the
| redirected target. This enables SSRF against internal hosts, cloud
| metadata endpoints, and FTP bounce attacks against third-party
| hosts. The vulnerable path is the default configuration
| (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section
| 3 explicitly recommends validating the PASV response IP against the
| control connection peer. The ftp application is deprecated and
| scheduled for removal in OTP-30. This vulnerability is associated
| with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4
| through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl
| (ftp 1.0 and later, OTP 21.0 and later). This issue affects OTP
| from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to
| inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1
| and 1.2.3.1.
CVE-2026-48860[3]:
| Reliance on IP Address for Authentication vulnerability in
| Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass
| of the distribution-over-TLS LAN allowlist. The
| inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist
| for Erlang distribution over TLS, calls inet:sockname/1 instead of
| inet:peername/1 to obtain the peer's IP address. Because
| inet:sockname/1 returns the local socket address, both the local IP
| and the supposed peer IP resolve to the same value, causing the
| subnet mask comparison to always succeed regardless of the actual
| remote address. Any holder of a CA-signed TLS certificate can
| therefore bypass the LAN restriction and gain full Erlang
| distribution access to the node, including rpc:call/4 and
| code:load_binary/3. This vulnerability is associated with program
| file lib/ssl/src/inet_tls_dist.erl. This issue affects OTP from OTP
| 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from
| 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9.
CVE-2026-49759[4]:
| Stack-based Buffer Overflow vulnerability in Erlang OTP erts
| (inet_drv) allows an unauthenticated remote attacker to crash the
| BEAM VM by sending a crafted SCTP ERROR chunk. The
| sctp_parse_error_chunk function in
| erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and
| writes cause codes into a fixed-size stack-allocated ErlDrvTermData
| spec[] array without checking bounds. A remote attacker who has
| established an SCTP association to a listening port can send a
| single crafted SCTP ERROR chunk containing enough cause codes to
| overflow the stack buffer, crashing the VM. The attacker can only
| write 16-bit values interleaved with a fixed tag, so the overflow
| does not provide a controlled return address, limiting exploitation
| to Denial of Service. A crafted SCTP ERROR chunk may also leak bits
| and pieces of Erlang VM memory into the received error packet
| observed by the Erlang process. Such data is already readable by the
| user running the Erlang VM, so the disclosure scope is limited.
| This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and
| 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and
| 17.0.2.
CVE-2026-49760[5]:
| Stack-based Buffer Overflow vulnerability in Erlang OTP
| (erl_interface) allows Stack-based Buffer Overflow. This
| vulnerability is associated with program file
| lib/erl_interface/src/misc/ei_printterm.c and program routine
| ei_s_print_term. The C function ei_s_print_term uses an internal
| 2000-character stack buffer to format terms. When called with an
| encoded Erlang term containing a very large integer (encoded
| representation exceeding 2000 characters), the buffer overflows. The
| overflow bytes are restricted to the ASCII values of 0-9 and A-F,
| which limits exploitation to Denial of Service. The companion
| function ei_print_term, which prints directly to a FILE instead of a
| memory buffer, does not contain this bug. This issue affects OTP
| from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding
| to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-48855
https://www.cve.org/CVERecord?id=CVE-2026-48855
[1] https://security-tracker.debian.org/tracker/CVE-2026-48856
https://www.cve.org/CVERecord?id=CVE-2026-48856
[2] https://security-tracker.debian.org/tracker/CVE-2026-48858
https://www.cve.org/CVERecord?id=CVE-2026-48858
[3] https://security-tracker.debian.org/tracker/CVE-2026-48860
https://www.cve.org/CVERecord?id=CVE-2026-48860
[4] https://security-tracker.debian.org/tracker/CVE-2026-49759
https://www.cve.org/CVERecord?id=CVE-2026-49759
[5] https://security-tracker.debian.org/tracker/CVE-2026-49760
https://www.cve.org/CVERecord?id=CVE-2026-49760
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: erlang
Source-Version: 1:29.0.2+dfsg-1
Done: Sergei Golovan <[email protected]>
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <[email protected]> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 12 Jun 2026 20:36:06 +0300
Source: erlang
Architecture: source
Version: 1:29.0.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Erlang Packagers <[email protected]>
Changed-By: Sergei Golovan <[email protected]>
Closes: 1045018 1124853 1139727 1139823
Changes:
erlang (1:29.0.2+dfsg-1) unstable; urgency=medium
.
* New upstream release.
- Fix CVE-2026-48855: Exposure of Sensitive Information to an Unauthorized
Actor vulnerability in Erlang OTP ssh application (ssh_sftpd module).
- Fix CVE-2026-48856: Sensitive Data Exposure vulnerability in Erlang OTP
inets application (httpc_response module).
- Fix CVE-2026-48858: Server-Side Request Forgery (SSRF) vulnerability in
Erlang/OTP ftp application (ftp_internal module).
- Fix CVE-2026-48859: Observable Timing Discrepancy vulnerability in
Erlang/OTP ssh application (ssh_auth, ssh_options modules).
- Fix CVE-2026-48860: Reliance on IP Address for Authentication
vulnerability in Erlang/OTP ssl application (inet_tls_dist module).
- Fix CVE-2026-49759: Stack-based Buffer Overflow vulnerability in Erlang
OTP erts (inet_drv).
- Fix CVE-2026-49760: Stack-based Buffer Overflow vulnerability in Erlang
OTP (erl_interface).
Closes: #1139727, #1139823.
* Drop dependencies of erlang-jinterface on java1-runtime-headless,
java1-runtime because they don't exist anymore.
* Drop providing erlang-pcre by erlang-base because it is not used by
any package and is not necessary anymore.
* Promote libsctp1 from recommends to depends because erl now emits a
warning if it cannot find the libsctp library, which make some packages
that build depend on Erlang FTBFS.
* Add a patch which fixes enabling build of odbcserver.
* Add pkgconf and libglib2.0-dev to the build dependencies for erlang-wx.
* Refine interdependencies of the binary packages.
* Use the default build flags (closes: #1124853).
* Clean up the code which stops epmd on erlang-base removal/upgrade.
* Do more thorough cleanup after building the package (closes: #1045018).
* Fix debian/watch to sort upstream version 29.0 after 29.0-rc3.
* Fix collecting examples which are now installed along with the
documentation, make links to them in the erlang-doc package.
* Switch from ronn to the internal manpage generation escript for
generating manpages in section 1.
* Add symlink /usr/lib/erlang/man to the Erlang manpages in the erlang-doc
package.
* Compress manpages in the erlang-doc package.
* Use -n option for gzip when compressing manpages for reproducibility.
* Do not remove id from the EPUB contents files in docs, just replace it
by a deterministic value.
* Replace echo by printf in the makefile for generating docs because
sometimes echo "\n" prints literal \n for reproducibility.
* Move HTML and EPUB docs directly to the /usr/share/doc/erlang-doc
directory.
* Respect SOURCE_DATE_EPOCH when generating footers of HTML docs for
reproducibility.
Checksums-Sha1:
b0494f5c21cb7ecbc9e54ede7bbd342548288ef6 5002 erlang_29.0.2+dfsg-1.dsc
2199eb78fd3f51eaa690e38a1467873683a04456 49253348
erlang_29.0.2+dfsg.orig.tar.xz
57531eb6509af98678d84a85ee5b40f782d3b667 61932
erlang_29.0.2+dfsg-1.debian.tar.xz
e4ddd32871955ef3c0341672d3cf1c7477992ddd 32569
erlang_29.0.2+dfsg-1_amd64.buildinfo
Checksums-Sha256:
b1ac5e8c01b6f7828fe7283492a2d4201a58bce158c3b12268b2302d4d87d0b5 5002
erlang_29.0.2+dfsg-1.dsc
14c1277b6ac0c6940952d253389dc04b1bf129c30a77567d99c99c9d5592eb42 49253348
erlang_29.0.2+dfsg.orig.tar.xz
bf585df968de5f14d5fdf163b8b45011a454549d2f159c38eab13812f65a8141 61932
erlang_29.0.2+dfsg-1.debian.tar.xz
62c4631305af5e752b9a04f845ca2da5e5cd417ceb3591134cbe50da27a576ea 32569
erlang_29.0.2+dfsg-1_amd64.buildinfo
Files:
a9202e0fd46291c6001632880d373ec3 5002 interpreters optional
erlang_29.0.2+dfsg-1.dsc
6dd10e3f187393805df50ec099f3f158 49253348 interpreters optional
erlang_29.0.2+dfsg.orig.tar.xz
4fdbf975ed79957231f6b11987d3ae5d 61932 interpreters optional
erlang_29.0.2+dfsg-1.debian.tar.xz
7174d95200c893b3e5f7d12f2c53fc5b 32569 interpreters optional
erlang_29.0.2+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmosSVQACgkQTyrk60tj
54eE3hAAv1aMx0iOdUogBWWqwa4vs6mQvKCkTE5D0q1pq3s4LuMbeyHjel92A/lW
cWN1Q+XyZiyxvt26F5HNkY8q7W0AiNj1Y9C26cjENHew2ysUXzmQT5SxeUir/2A7
rUA62M4eT9RYZTM5DW9iRBILMlDogqDGE03RIF/4ltFYofBwkJhDW9Cn11PjNqqx
PWGn0UyBT0qD1VQXnH7fJUumAoJc2SEXASuMdnJboWyb1qDNvkGhk/LrjF4L34N1
ybgVBsMkmXn7/oypPtPGFMpB4adqUdXcfpxYfW0jhpb0tIuUDJn1gqcM17Cxi7HE
zXfIJ9MhFYz+rQ59f/MEQen0L7/u1JIhGO3sq25f+L4DeQEG9ofzW4gvI+cyTzir
cN0PB7W3qdgqlVe0bwvKAMFaI5Otg6OJIz3mkry5Ar4CaxKHEXaWO9MvoWmm0DjD
dzZlIpnZ0qPTQ3nwopXlEpekgVIVK+Ice8wRPIxBJJDoA56mAU9a45QRz+vphUMT
H5BXSp1mgXz+PuUpu35sLeQNHEX12f40dJ14j+OopgpkU52UjOidh2Z2rXD9UgUB
7C5n1VehFmebFKla127IamcbFxTIer7wlXKdopUk9wb/Obrwc9dUYoJorRZYcbBk
NKkSSZL550xYngOq2y6mP/vnSSncViqc1XuPmQYn4cMuQ96ljjg=
=SxVz
-----END PGP SIGNATURE-----
pgpI02XVHFaBs.pgp
Description: PGP signature
--- End Message ---
