[SECURITY] [DSA 5906-1] erlang security update
[SECURITY] [DLA 4132-1] erlang security update
[SECURITY] [DSA 5906-1] erlang security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5906-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 20, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : erlang
CVE ID : CVE-2023-48795 CVE-2025-26618 CVE-2025-30211
CVE-2025-32433
Several vulnerabilities were discovered in the Erlang/OTP implementation
of the SSH protocol, which may result in denial of service or the
execution of arbitrary code.
For the stable distribution (bookworm), these problems have been fixed in
version 1:25.2.3+dfsg-1+deb12u1.
We recommend that you upgrade your erlang packages.
For the detailed security status of erlang please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/erlang
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4132-1] erlang security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4132-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
April 21, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : erlang
Version : 1:23.2.6+dfsg-1+deb11u2
CVE ID : CVE-2023-48795 CVE-2025-26618 CVE-2025-30211 CVE-2025-32433
Debian Bug : 1059002 1101713 1103442
Multiple vulnerabilties were fixed in erlang.
CVE-2023-48795 (Terrapin attack)
The SSH transport protocol with certain OpenSSH extensions,
allows remote attackers to bypass integrity checks such
that some packets are omitted (from the extension
negotiation message), and a client and server may
consequently end up with a connection for which
some security features have been downgraded.
CVE-2025-26618
The SSH transport protocol with certain OpenSSH extensions,
allows remote attackers to bypass integrity checks such
that some packets are omitted (from the extension
negotiation message), and a client and server may
consequently end up with a connection for which
some security features have been downgraded.
CVE-2025-30211
The SSH transport protocol with certain OpenSSH extensions,
allows remote attackers to bypass integrity checks such
that some packets are omitted (from the extension
negotiation message), and a client and server may
consequently end up with a connection for which
some security features have been downgraded.
CVE-2025-32433
A SSH server may allow an attacker to perform unauthenticated
remote code execution (RCE). By exploiting a flaw in SSH protocol
message handling, a malicious actor could gain unauthorized access
to affected systems and execute arbitrary commands without valid
credentials.
For Debian 11 bullseye, these problems have been fixed in version
1:23.2.6+dfsg-1+deb11u2.
We recommend that you upgrade your erlang packages.
For the detailed security status of erlang please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/erlang
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
