Your message dated Mon, 21 Apr 2025 11:17:08 +0000
with message-id <e1u6p9a-002svx...@fasolo.debian.org>
and subject line Bug#1059002: fixed in erlang 1:25.2.3+dfsg-1+deb12u1
has caused the Debian Bug report #1059002,
regarding erlang: CVE-2023-48795
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1059002: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059002
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: erlang
Version: 1:25.2.3+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for erlang.
CVE-2023-48795[0]:
| The SSH transport protocol with certain OpenSSH extensions, found in
| OpenSSH before 9.6 and other products, allows remote attackers to
| bypass integrity checks such that some packets are omitted (from the
| extension negotiation message), and a client and server may
| consequently end up with a connection for which some security
| features have been downgraded or disabled, aka a Terrapin attack.
| This occurs because the SSH Binary Packet Protocol (BPP),
| implemented by these extensions, mishandles the handshake phase and
| mishandles use of sequence numbers. For example, there is an
| effective attack against SSH's use of ChaCha20-Poly1305 (and CBC
| with Encrypt-then-MAC). The bypass occurs in
| chacha20-poly1...@openssh.com and (if CBC is used) the
| -e...@openssh.com MAC algorithms. This also affects Maverick Synergy
| Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh
| before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before
| 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, and
| libssh2 through 1.11.0; and there could be effects on Bitvise SSH
| through 9.31.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-48795
https://www.cve.org/CVERecord?id=CVE-2023-48795
[1]
https://github.com/erlang/otp/commit/ee67d46285394db95133709cef74b0c462d665aa
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: erlang
Source-Version: 1:25.2.3+dfsg-1+deb12u1
Done: Sergei Golovan <sgolo...@debian.org>
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1059...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <sgolo...@debian.org> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 20 Apr 2025 08:09:59 +0300
Source: erlang
Architecture: source
Version: 1:25.2.3+dfsg-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Erlang Packagers <pkg-erlang-de...@lists.alioth.debian.org>
Changed-By: Sergei Golovan <sgolo...@debian.org>
Closes: 1059002 1101713 1103442
Changes:
erlang (1:25.2.3+dfsg-1+deb12u1) bookworm-security; urgency=high
.
[ Salvatore Bonaccorso ]
* ssh: implement strict KEX (CVE-2023-48795) (Closes: #1059002)
* ssh: reject SFTP packets exceeding max allowed size (CVE-2025-26618)
* ssh: fix denial of service due to erroneous processing of large KEX
init packages (CVE-2025-30211) (Closes: #1101713):
- reduce log processing for plain connections
- ignore too long algorithm names
- limit the length of error messages in reply to invalid packets
- add the custom_kexinit test to test large KEX init packages processing
* ssh: fix remote code execution (RCE) by an unauthenticated user
(CVE-2025-32433) (Closes: #1103442)
.
[ Sergei Golovan ]
* Cleanup the patches.
Checksums-Sha1:
90a5a31d9744583449ae4238ac9b7543e4b7ad6e 5041 erlang_25.2.3+dfsg-1+deb12u1.dsc
17f9b115cb539f2f3688a207388a3eae67d8481b 48013400
erlang_25.2.3+dfsg.orig.tar.xz
c66ea3d3dd04806550563cd71c0fc09023b69179 72708
erlang_25.2.3+dfsg-1+deb12u1.debian.tar.xz
a50a25697b3faefd9c49975907c80afec7b686f9 31737
erlang_25.2.3+dfsg-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
ad8562aaaee6d692d604132832fbb51feeeb6e176f0445ca201486318361b0b8 5041
erlang_25.2.3+dfsg-1+deb12u1.dsc
65c77675af31235d19ee7888fb2a9d858759b1089ba33126344697be7600d271 48013400
erlang_25.2.3+dfsg.orig.tar.xz
02643fa322797fca559b1bc6aa938ea44810fc372a5fc504759d15f6ddbd51fa 72708
erlang_25.2.3+dfsg-1+deb12u1.debian.tar.xz
116de48e1bff1d3cb4bf76009d4d2a9f4b9634bf75abf14fdb557a621c2a0e9b 31737
erlang_25.2.3+dfsg-1+deb12u1_amd64.buildinfo
Files:
173a1cf30758b022aadc9c1552e8cc53 5041 interpreters optional
erlang_25.2.3+dfsg-1+deb12u1.dsc
68f00d5a9b77d45d45be87ab98fa1d15 48013400 interpreters optional
erlang_25.2.3+dfsg.orig.tar.xz
29e39401ffd156185a53107b881e91cd 72708 interpreters optional
erlang_25.2.3+dfsg-1+deb12u1.debian.tar.xz
7c4670053fe6f82c46d132f06156be73 31737 interpreters optional
erlang_25.2.3+dfsg-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmgEg7QACgkQTyrk60tj
54fCnA/+KajLxwWNXrFFEEWPsHKi0oDBqP0lu4sJk7tUKcZxPslBS4SqtTDC8lFa
Vu3igyWoZKYjhpvW4LVmIk3z7dDa0YhY9PNHck1xl4AEwY8dCvOMBDsNd4UOTh9r
eDfbb8GJRsxs34umzpkXFyNoRWvtCRFAhrVZUxCy9K1qas5FtSSXNrsR5VH+IDne
Ni5hia5Hum5bPdpttZ2MC+IXFrJhzpsP4IMqAB1WY1kaRHNV+ASpAG9tkk9tWzoD
dJiQ3BBYlxkCL3CaAaTXry0y3RTFMzy/2LGKS2DL/mjCX+EEwKZe86dl5Pw+BE2Z
TZNVAg3Tpf5rVwUBwIHTxxO/qrKF7b2hjpWUBjMc/V2dlYjfcktq1gWBt7CxwaA+
ulNJDVchShZTKiS7PoClYX5wkA6/0gPIJmMLs85DV8qvIyYxM4kI96r3bXSQVfsD
4EBW10dhWyZAYPYXq11rklLZ+QfEk4EHOXG0pkLR75VPYbhNYbWKIoe9Yhm6UmOW
P4J7kMng4bGOF2Su8/wQ4ZTKS2s++eaJIIyenfJxeJ4yoAldcouVU9eI8NR6P17a
JABen8gXr4CxEaeGLjHBoROr8KVlIeEB1zSMO0jlW+eVteTUN9DjZlciVLtSux01
3AOoTZPDOhyyjsyTMhVveQsTiVgLrBJD3K4gCglimlfcOlzIYhY=
=9QKO
-----END PGP SIGNATURE-----
pgpuFDCwsiV0k.pgp
Description: PGP signature
--- End Message ---
