tags 1104963 + pending thanks Hi Salvatore,
On Fri, May 9, 2025 at 7:27 AM Salvatore Bonaccorso <car...@debian.org> wrote: > > The following vulnerability was published for elarng. > > CVE-2025-46712[0]: > | Erlang/OTP is a set of libraries for the Erlang programming > | language. In versions prior to OTP-27.3.4 (for OTP-27), > | OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), > | Erlang/OTP SSH fails to enforce strict KEX handshake hardening > | measures by allowing optional messages to be exchanged. This allows > | a Man-in-the-Middle attacker to inject these messages in a > | connection during the handshake. This issue has been patched in > | versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and > | OTP-25.3.2.21 (for OTP-25). > > This does not warrrant a DSA, fwiw, might be fixed in one of the next > point releases ideally, but as well ideally already in trixie before > the release. Okay. I've prepared 27.3.4 with the fix for sid/trixie and added the relevant patch to erlang in bookworm. The latter needs some additional testing. I'll upload both packages shortly. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Will do. Thank you for the report! Cheers! -- Sergei Golovan
