Control: tag 1101713 + pending Hi Salvatore,
On Sun, Mar 30, 2025 at 10:51 PM Salvatore Bonaccorso <car...@debian.org> wrote: > > Hi, > > The following vulnerability was published for erlang. > > CVE-2025-30211[0]: > | Erlang/OTP is a set of libraries for the Erlang programming > | language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a > | maliciously formed KEX init message can result with high memory > | usage. Implementation does not verify RFC specified limits on > | algorithm names (64 characters) provided in KEX init message. Big > | KEX init packet may lead to inefficient processing of the error > | data. As a result, large amount of memory will be allocated for > | processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and > | OTP-25.3.2.19 fix the issue. Some workarounds are available. One may > | set option `parallel_login` to `false` and/or reduce the > | `max_sessions` option. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. I'll upload 27.3.1 in a few days. Does it make sense to backport the fix from 25.3.2.19 to erlang in stable? Cheers! -- Sergei Golovan
