Source: erlang Version: 1:27.3+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for erlang. CVE-2025-30211[0]: | Erlang/OTP is a set of libraries for the Erlang programming | language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a | maliciously formed KEX init message can result with high memory | usage. Implementation does not verify RFC specified limits on | algorithm names (64 characters) provided in KEX init message. Big | KEX init packet may lead to inefficient processing of the error | data. As a result, large amount of memory will be allocated for | processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and | OTP-25.3.2.19 fix the issue. Some workarounds are available. One may | set option `parallel_login` to `false` and/or reduce the | `max_sessions` option. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-30211 https://www.cve.org/CVERecord?id=CVE-2025-30211 [1] https://github.com/erlang/otp/security/advisories/GHSA-vvr3-fjhh-cfwc Please adjust the affected versions in the BTS as needed. Regards, Salvatore
