[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 4132-1] erlang security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4132-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
April 21, 2025                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : erlang
Version        : 1:23.2.6+dfsg-1+deb11u2
CVE ID         : CVE-2023-48795 CVE-2025-26618 CVE-2025-30211 CVE-2025-32433
Debian Bug     : 1059002 1101713 1103442

Multiple vulnerabilties were fixed in erlang.

CVE-2023-48795 (Terrapin attack)

    The SSH transport protocol with certain OpenSSH extensions,
    allows remote attackers to bypass integrity checks such
    that some packets are omitted (from the extension
    negotiation message), and a client and server may
    consequently end up with a connection for which
    some security features have been downgraded.

CVE-2025-26618

    The SSH transport protocol with certain OpenSSH extensions,
    allows remote attackers to bypass integrity checks such
    that some packets are omitted (from the extension
    negotiation message), and a client and server may
    consequently end up with a connection for which
    some security features have been downgraded.

CVE-2025-30211

    The SSH transport protocol with certain OpenSSH extensions,
    allows remote attackers to bypass integrity checks such
    that some packets are omitted (from the extension
    negotiation message), and a client and server may
    consequently end up with a connection for which
    some security features have been downgraded.

CVE-2025-32433

    A SSH server may allow an attacker to perform unauthenticated
    remote code execution (RCE). By exploiting a flaw in SSH protocol
    message handling, a malicious actor could gain unauthorized access
    to affected systems and execute arbitrary commands without valid
    credentials.

For Debian 11 bullseye, these problems have been fixed in version
1:23.2.6+dfsg-1+deb11u2.

We recommend that you upgrade your erlang packages.

For the detailed security status of erlang please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/erlang

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmgFh+sACgkQADoaLapB
CF9gNg/9Edw3Ha3CImS8CmCDD/DcI/YwUkdGgNz/FpvDAYwzWfUsAIQ97tiBVus7
i9BTPANzzrKQBfpxogyXHgE61a/QI9OlAm8iXcI2BTdOfNOz/b2BL82R5FXTm3cu
Nuz+yYdmQb6ZlM5Vdghc/T5SKt6kitOOL5wanllPjtQNhKM9klmVoMShhMQ25KCv
7T174vmgMHjWWtgrxKJI4wI0hs9tR/Eac02aKjm26T0bDZTLpOPntoexeBi0DBnL
soovCWDERNrHXcvViFGv16wNzfOQxwUoPpC8V0qtql2q/6F5axClNCwQvIRX7TES
CynE6GJn8nnCv4Mr2jygXHe5S1c4kCsbihbsqPe3yDQopWUGMgF5VjkGhQusluP7
svnASTd/Zi0rmMXJGJ//xA9KesbvYmA0g+m57ccPaFpYR3Z8TXF0VIdFsZqu3kFs
oNtRUMPL2ESMwYziz1eR4S3y8OBs388l9IFl5moXh6jQnrp4IUJzavzZJldv+ISL
Tl+Bo7HzRIdBCC3P1HBFViE04qlnlFC8bKguzQq4EIMgZfPAOKWIC/yC9pgWHG3T
5sIuKUSFmqJj/J3hc6ys3vZdNzHDnroadKaC03APoOQ0TJL9NBF7ADzkICN/v/ho
fyxQA1Qp5BYEcZW1NwadRHLP+wfL9AZUR4r6o4Fu+6GKY6H/U7E=
=ZmLK
-----END PGP SIGNATURE-----
Reply to: