Your message dated Sun, 05 Jul 2026 19:04:16 +0000
with message-id <[email protected]>
and subject line Bug#1141414: fixed in erlang 1:29.0.3+dfsg-1
has caused the Debian Bug report #1141414,
regarding erlang: CVE-2026-53422 CVE-2026-54886 CVE-2026-54887 CVE-2026-54891
CVE-2026-55950 CVE-2026-55952
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1141414: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141414
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: erlang
Version: 1:29.0.2+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for erlang.
CVE-2026-53422[0]:
| Observable Response Discrepancy vulnerability in Erlang OTP ssh
| (ssh_sftpd module) allows an authenticated SFTP user to enumerate
| the existence of files and directories outside the configured root
| directory. The SSH_FXP_REALPATH handler in ssh_sftpd calls
| relate_file_name/3 with Canonicalize=false, unlike every other SFTP
| operation handler. This allows .. components in the requested path
| to bypass the is_within_root/2 check without being resolved. The un-
| canonicalized path then enters resolve_symlinks/2, which walks up
| the directory tree above the configured root and issues read_link()
| syscalls on arbitrary filesystem paths. An authenticated SFTP
| client can exploit this by sending a REALPATH request with a crafted
| traversal path. The server response differs depending on whether the
| target path exists on the host filesystem (SSH_FXP_NAME when the
| path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not).
| This creates a path-existence oracle that an attacker can use to
| enumerate the filesystem structure outside the configured root,
| including the existence of sensitive files, directories, and mount
| points. The vulnerability leaks only the existence of paths. No
| file contents, credentials, or write access are obtainable through
| this issue alone. The information gained may assist further attacks
| when combined with other vulnerabilities. This vulnerability is
| associated with program files lib/ssh/src/ssh_sftpd.erl and program
| routine ssh_sftpd:handle_op/4. This issue affects OTP from OTP 17.0
| until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from
| 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.
CVE-2026-54886[1]:
| Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability
| in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP
| user to render an SFTP channel permanently unresponsive. The
| handle_data/4 function in ssh_sftpd contains a catch-all clause that
| accepts channel data of any type. When channel data with a non-zero
| type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty
| pending buffer and a payload at or below the SFTP packet size limit,
| the clause tail-calls itself with identical arguments, creating an
| infinite loop. The SFTP protocol operates exclusively on normal
| channel data (type 0). Extended data (non-zero type) is meaningless
| for SFTP and is never sent by conforming clients. However, the SSH
| protocol permits any channel participant to send extended data on an
| open channel, so an authenticated SFTP client can trigger the loop
| by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and
| any non-empty payload at or below the size limit. The targeted
| ssh_sftpd process enters an infinite tail-recursive loop. It never
| processes another message, its message queue grows without bound,
| and it can only be stopped by killing the process. BEAM's reduction-
| based scheduler preemption continues to function, so other processes
| on the node are not starved, but each stuck channel process consumes
| its full CPU time share continuously and accumulates unbounded
| message queue memory. Opening many channels amplifies the CPU and
| memory impact. Erlang/OTP SSH configurations using the default
| max_channels setting (infinity) allow an authenticated user to open
| unlimited channels per connection, amplifying the attack without
| requiring multiple TCP connections or authentications. No file
| contents, credentials, or write access are obtainable through this
| issue. The impact is limited to denial of service on targeted SFTP
| channels, with secondary CPU degradation and memory growth. This
| vulnerability is associated with program file
| lib/ssh/src/ssh_sftpd.erl and program routine
| ssh_sftpd:handle_data/4. This issue affects OTP from OTP 17.0 until
| OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1
| until 6.0.2, 5.5.2.2, and 5.2.11.9.
CVE-2026-54887[2]:
| Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl
| (DTLS server) allows predictable DTLS cookie computation during the
| startup window, enabling source address verification bypass. On
| DTLS server startup, dtls_server_connection:initial_hello/3
| initializes previous_cookie_secret to the empty binary (<<>>)
| instead of a random value. Because HMAC with an empty key is
| deterministic, anyone who observes the plaintext ClientHello can
| compute dtls_handshake:cookie(<<>>, IP, Port, Hello) and forge a
| valid DTLS cookie before the first rotation of the cookie secret.
| The DTLS cookie (RFC 6347 ยง4.2.1) is a denial-of-service mitigation
| that prevents spoofed source IPs from forcing the server to allocate
| state and perform expensive cryptographic operations; it is not an
| authentication mechanism. During the window from server startup
| until the first secret rotation (0 to 15 seconds), an attacker who
| can observe the plaintext ClientHello can bypass the source address
| verification, enabling DTLS handshake amplification with spoofed
| source addresses. This vulnerability is associated with program
| file lib/ssl/src/dtls_server_connection.erl and program routine
| dtls_server_connection:initial_hello/3. This issue affects OTP from
| OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl
| from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10.
CVE-2026-54891[3]:
| Improper Enforcement of Message Integrity During Transmission in a
| Communication Channel vulnerability in Erlang/OTP ssl
| (tls_gen_connection module) allows a network-positioned attacker to
| inject unauthenticated plaintext that the TLS client application
| later treats as authenticated server data. The function
| tls_gen_connection:handle_protocol_record/3 rejects APPLICATION_DATA
| records that arrive in pre-handshake states when the TLS endpoint
| acts as a server, but does not apply the same check when the
| endpoint acts as a client. A network-positioned attacker can send
| plaintext APPLICATION_DATA records to the client during the
| handshake. The records are buffered and, once the handshake
| completes successfully, delivered to the application as if they were
| authenticated post-handshake data. The attacker cannot observe the
| client's response or steer the connection, so the impact is limited
| to blind injection of unauthenticated bytes. The injection window is
| wider for TLS versions prior to TLS 1.3 than for TLS 1.3. This
| vulnerability is associated with program file
| lib/ssl/src/tls_gen_connection.erl. This issue affects OTP from OTP
| 17.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from
| 5.3.4 before 11.7.3, 11.6.0.3 and 11.2.12.10. TLS 1.3 is affected
| starting with OTP 22.0, when TLS 1.3 support was added.
CVE-2026-55950[4]:
| Time-of-check Time-of-use (TOCTOU) race condition vulnerability in
| Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated
| remote attacker to crash all active DTLS sessions on a listener. A
| DTLS server listener uses a single shared dtls_packet_demux
| gen_server process to route incoming UDP datagrams to the correct
| connection handler. When a DTLS client reconnects rapidly from the
| same source address and port (sending multiple ClientHello messages
| in quick succession), a race condition in the demux's internal
| gb_trees key-value store causes a {key_exists, {old, Client}} crash,
| terminating the demux process. Because the demux is shared across
| all DTLS associations on that listener, its crash immediately kills
| every active DTLS session, not just the attacker's. The attack is
| pre-authentication: the attacker only needs to send UDP datagrams
| containing valid ClientHello messages from the same source IP and
| port before the intermediate DOWN monitor message is processed by
| the gen_server. No credentials, no completed handshake, and no
| special configuration are required, and the crash can be repeated
| indefinitely to create a persistent denial of service for all
| clients of that listener. This vulnerability is associated with
| program file lib/ssl/src/dtls_packet_demux.erl. This issue affects
| OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14
| corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and
| 11.2.12.10.
CVE-2026-55952[5]:
| The Erlang/OTP ssl application does not validate that the PSK
| identity list and binder list carried in a TLS 1.3 ClientHello pre-
| shared key extension have equal length before passing them to the
| session ticket handler. In
| tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys
| record with a mismatched number of identities and binders is
| forwarded directly to tls_server_session_ticket:use/4, which crashes
| the session ticket handler process. An unauthenticated remote
| attacker can send a single crafted ClientHello to a TLS 1.3 server
| with session tickets enabled (stateful or stateless mode) and
| permanently disrupt session ticket handling on that listener. New
| TLS 1.3 handshakes complete but subsequently crash when the server
| attempts to issue a session ticket, effectively making TLS 1.3
| unusable on the affected listener until the ssl application is
| restarted. TLS 1.2 connections are not affected. This issue affects
| OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to
| ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-53422
https://www.cve.org/CVERecord?id=CVE-2026-53422
[1] https://security-tracker.debian.org/tracker/CVE-2026-54886
https://www.cve.org/CVERecord?id=CVE-2026-54886
[2] https://security-tracker.debian.org/tracker/CVE-2026-54887
https://www.cve.org/CVERecord?id=CVE-2026-54887
[3] https://security-tracker.debian.org/tracker/CVE-2026-54891
https://www.cve.org/CVERecord?id=CVE-2026-54891
[4] https://security-tracker.debian.org/tracker/CVE-2026-55950
https://www.cve.org/CVERecord?id=CVE-2026-55950
[5] https://security-tracker.debian.org/tracker/CVE-2026-55952
https://www.cve.org/CVERecord?id=CVE-2026-55952
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: erlang
Source-Version: 1:29.0.3+dfsg-1
Done: Sergei Golovan <[email protected]>
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <[email protected]> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 Jul 2026 21:21:35 +0300
Source: erlang
Architecture: source
Version: 1:29.0.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Erlang Packagers <[email protected]>
Changed-By: Sergei Golovan <[email protected]>
Closes: 1141414
Changes:
erlang (1:29.0.3+dfsg-1) unstable; urgency=medium
.
* New upstream release.
- Fix CVE-2026-53422: Observable Response Discrepancy vulnerability in
Erlang OTP ssh application (ssh_sftpd module).
- Fix CVE-2026-54886: Loop with Unreachable Exit Condition ('Infinite
Loop') vulnerability in Erlang OTP ssh application (ssh_sftpd module).
- Fix CVE-2026-54887: Use of Default Cryptographic Key vulnerability in
Erlang/OTP ssl application (DTLS server)
- Fix CVE-2026-54891: Improper Enforcement of Message Integrity During
Transmission in a Communication Channel vulnerability in Erlang/OTP ssl
application (tls_gen_connection module).
- Fix CVE-2026-55950: Time-of-check Time-of-use (TOCTOU) race condition
vulnerability in Erlang/OTP ssl application (dtls_packet_demux module).
- Fix CVE-2026-55952: The Erlang/OTP ssl application does not validate
that the PSK identity list and binder list carried in a TLS 1.3
ClientHello pre-shared key extension have equal length before passing
them to the session ticket handler.
Closes: #1141414.
Checksums-Sha1:
aca9508adfed1d874e327e367485d9d3192e4815 5002 erlang_29.0.3+dfsg-1.dsc
83586fd37e285886b97064d60dc8addf6a045f5d 49270776
erlang_29.0.3+dfsg.orig.tar.xz
ac8e94fa1e94c45c6dd654eab8b8faaf47df6da4 62292
erlang_29.0.3+dfsg-1.debian.tar.xz
94b75a6ff59936c4fb2b54c123e34f961fb38100 32816
erlang_29.0.3+dfsg-1_amd64.buildinfo
Checksums-Sha256:
5a6d1e0ae550591ad6a7e67898a9ff353e6e2aee8e29033f592fb45b78ec1016 5002
erlang_29.0.3+dfsg-1.dsc
4fe8354860c804dee0ead66358775e0633fec987c14bd2be06e3698fd7cf865f 49270776
erlang_29.0.3+dfsg.orig.tar.xz
eefff1f28ec69209cad336b85e9add647937e5aedefb066481fe21f63eab61bb 62292
erlang_29.0.3+dfsg-1.debian.tar.xz
0f588b468b38492a90818cc49ec17e10e2a74f15b3ca4764ddae54ff19d40e0f 32816
erlang_29.0.3+dfsg-1_amd64.buildinfo
Files:
4abaa2a981f5c7779e4b550b26730746 5002 interpreters optional
erlang_29.0.3+dfsg-1.dsc
7ddcfce419392820a2d4d5cea152a3e1 49270776 interpreters optional
erlang_29.0.3+dfsg.orig.tar.xz
0ab530846a796637eca437f6e189531b 62292 interpreters optional
erlang_29.0.3+dfsg-1.debian.tar.xz
5f71e98d08d8f725bada1b348ceaa876 32816 interpreters optional
erlang_29.0.3+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmpKo+cACgkQTyrk60tj
54cf3RAAsuFWLdrHdFU/PrkeCk0p+TKzGWY2UOubog2rO7EUthAR6SBggLGtuSXl
SsIiSj3P2CLPPUPa+KalZZKioIq41LTxn6i2Udg8Kg5KvJZy+NAPCi//Yc7d854P
cq02Fjq0cEIBpLkQHa4txBidViO383/W9BE+VKl4PnLyv2CxtNyF+z4Fn7G1vlk5
Aefm/XjYdejww7BS7lxEKuml3lnz6QETVtfnQL0jx57up5r5+WWErVrrpIyfPEqw
WCXT4zKezNPoYxzUibGR8K438C3e4WwjpVJV8NKZuOKplianR/GutsmOka2pchQd
qXoTX2pM6pFfTdPN4VYB+jIMsV6Ejs5A80jhSbynTxJ5xwqMuvN9L/HnCC13e/Rw
XmMZE99rTCN7DTA7y7QcLpkVAZW/IRl7XeJt+qpuqXazU6CVhtSWKmWlylm5ztJC
P5qFvBcno86pCrhUnYRwrtEKkpuNqDOiNeJAO5twI3In+tfvGqDuI193vw7/qrEk
4dH43mFPN2hwd+Kb5frK21C6sL6tB2z+N9J8CInUFR6orE9a5ejXZefJ5OUIk8uI
K7Ih/RegOVDhBfN9gVaFqUjUrN86lsZvXOcW3cGDRAbdMicChtRUL9bJLeBswTAF
B2R9oi7M3hJJdH/fL6gfjR2iSlm/ma3xfTJ1Gxdl3BWA8DLrWbQ=
=eDYt
-----END PGP SIGNATURE-----
pgp6b9IZzYSMS.pgp
Description: PGP signature
--- End Message ---