> From: Kurt Jaeger <[email protected]>
> Can you provide those entries ?
And here's what I came up with for erlang. I don't know if erlang-java or
erlang-wx should be included, and wasn't sure how to handle the older
erlang-runtime versions, since they are not documented as having a fixed
version in the reports I've found.
<topic>Erlang - Absolute Path in Zip Module</topic>
<affects>
<package>
<name>erlang</name>
<range><ge>17.0</ge><lt>26.2.5.13,4</lt></range>
</package>
<package>
<name>erlang-runtime26</name>
<range><lt>26.2.5.13</lt></range>
</package>
<package>
<name>erlang-runtime27</name>
<range><lt>27.3.4.1</lt></range>
</package>
<package>
<name>erlang-runtime28</name>
<range><lt>28.0.1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml";>
<p>Erlang/OTP reports:</p>
<blockquote
cite="https://github.com/erlang/otp/security/advisories/GHSA-9g37-pgj9-wrhc";>
<p>Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal')
vulnerability in Erlang OTP (stdlib modules) allows Absolute Path
Traversal,
File Manipulation. This vulnerability is associated with program files
lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2,
zip:extract/1, zip:extract/2 unless the memory option is passed. This
issue
affects OTP from OTP 17.0 until OTP 28.0.1, OTP 27.3.4.1 and OTP
26.2.5.13,
corresponding to stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2025-4748</cvename>
<url>https://nvd.nist.gov/vuln/detail/CVE-2025-4748</url>
</references>
<dates>
<discovery>2025-06-16</discovery>
<entry>2025-10-29</entry>
<modified>2025-10-29</modified>
</dates>
