Source: erlang Version: 1:27.3.3+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for elarng. CVE-2025-46712[0]: | Erlang/OTP is a set of libraries for the Erlang programming | language. In versions prior to OTP-27.3.4 (for OTP-27), | OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), | Erlang/OTP SSH fails to enforce strict KEX handshake hardening | measures by allowing optional messages to be exchanged. This allows | a Man-in-the-Middle attacker to inject these messages in a | connection during the handshake. This issue has been patched in | versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and | OTP-25.3.2.21 (for OTP-25). This does not warrrant a DSA, fwiw, might be fixed in one of the next point releases ideally, but as well ideally already in trixie before the release. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-46712 https://www.cve.org/CVERecord?id=CVE-2025-46712 [1] https://github.com/erlang/otp/security/advisories/GHSA-934x-xq38-hhqf Please adjust the affected versions in the BTS as needed. Regards, Salvatore
