Your message dated Mon, 21 Apr 2025 11:17:08 +0000
with message-id <e1u6p9a-002sw9...@fasolo.debian.org>
and subject line Bug#1103442: fixed in erlang 1:25.2.3+dfsg-1+deb12u1
has caused the Debian Bug report #1103442,
regarding erlang: CVE-2025-32433
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: erlang
Version: 1:25.2.3+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1:27.3.2+dfsg-1
Control: fixed -1 1:27.3.3+dfsg-1
Hi,
The following vulnerability was published for erlang.
CVE-2025-32433[0]:
| Erlang/OTP is a set of libraries for the Erlang programming
| language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and
| OTP-25.3.2.20, a SSH server may allow an attacker to perform
| unauthenticated remote code execution (RCE). By exploiting a flaw in
| SSH protocol message handling, a malicious actor could gain
| unauthorized access to affected systems and execute arbitrary
| commands without valid credentials. This issue is patched in
| versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary
| workaround involves disabling the SSH server or to prevent access
| via firewall rules.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-32433
https://www.cve.org/CVERecord?id=CVE-2025-32433
[1] https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: erlang
Source-Version: 1:25.2.3+dfsg-1+deb12u1
Done: Sergei Golovan <sgolo...@debian.org>
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <sgolo...@debian.org> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 20 Apr 2025 08:09:59 +0300
Source: erlang
Architecture: source
Version: 1:25.2.3+dfsg-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Erlang Packagers <pkg-erlang-de...@lists.alioth.debian.org>
Changed-By: Sergei Golovan <sgolo...@debian.org>
Closes: 1059002 1101713 1103442
Changes:
erlang (1:25.2.3+dfsg-1+deb12u1) bookworm-security; urgency=high
.
[ Salvatore Bonaccorso ]
* ssh: implement strict KEX (CVE-2023-48795) (Closes: #1059002)
* ssh: reject SFTP packets exceeding max allowed size (CVE-2025-26618)
* ssh: fix denial of service due to erroneous processing of large KEX
init packages (CVE-2025-30211) (Closes: #1101713):
- reduce log processing for plain connections
- ignore too long algorithm names
- limit the length of error messages in reply to invalid packets
- add the custom_kexinit test to test large KEX init packages processing
* ssh: fix remote code execution (RCE) by an unauthenticated user
(CVE-2025-32433) (Closes: #1103442)
.
[ Sergei Golovan ]
* Cleanup the patches.
Checksums-Sha1:
90a5a31d9744583449ae4238ac9b7543e4b7ad6e 5041 erlang_25.2.3+dfsg-1+deb12u1.dsc
17f9b115cb539f2f3688a207388a3eae67d8481b 48013400
erlang_25.2.3+dfsg.orig.tar.xz
c66ea3d3dd04806550563cd71c0fc09023b69179 72708
erlang_25.2.3+dfsg-1+deb12u1.debian.tar.xz
a50a25697b3faefd9c49975907c80afec7b686f9 31737
erlang_25.2.3+dfsg-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
ad8562aaaee6d692d604132832fbb51feeeb6e176f0445ca201486318361b0b8 5041
erlang_25.2.3+dfsg-1+deb12u1.dsc
65c77675af31235d19ee7888fb2a9d858759b1089ba33126344697be7600d271 48013400
erlang_25.2.3+dfsg.orig.tar.xz
02643fa322797fca559b1bc6aa938ea44810fc372a5fc504759d15f6ddbd51fa 72708
erlang_25.2.3+dfsg-1+deb12u1.debian.tar.xz
116de48e1bff1d3cb4bf76009d4d2a9f4b9634bf75abf14fdb557a621c2a0e9b 31737
erlang_25.2.3+dfsg-1+deb12u1_amd64.buildinfo
Files:
173a1cf30758b022aadc9c1552e8cc53 5041 interpreters optional
erlang_25.2.3+dfsg-1+deb12u1.dsc
68f00d5a9b77d45d45be87ab98fa1d15 48013400 interpreters optional
erlang_25.2.3+dfsg.orig.tar.xz
29e39401ffd156185a53107b881e91cd 72708 interpreters optional
erlang_25.2.3+dfsg-1+deb12u1.debian.tar.xz
7c4670053fe6f82c46d132f06156be73 31737 interpreters optional
erlang_25.2.3+dfsg-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmgEg7QACgkQTyrk60tj
54fCnA/+KajLxwWNXrFFEEWPsHKi0oDBqP0lu4sJk7tUKcZxPslBS4SqtTDC8lFa
Vu3igyWoZKYjhpvW4LVmIk3z7dDa0YhY9PNHck1xl4AEwY8dCvOMBDsNd4UOTh9r
eDfbb8GJRsxs34umzpkXFyNoRWvtCRFAhrVZUxCy9K1qas5FtSSXNrsR5VH+IDne
Ni5hia5Hum5bPdpttZ2MC+IXFrJhzpsP4IMqAB1WY1kaRHNV+ASpAG9tkk9tWzoD
dJiQ3BBYlxkCL3CaAaTXry0y3RTFMzy/2LGKS2DL/mjCX+EEwKZe86dl5Pw+BE2Z
TZNVAg3Tpf5rVwUBwIHTxxO/qrKF7b2hjpWUBjMc/V2dlYjfcktq1gWBt7CxwaA+
ulNJDVchShZTKiS7PoClYX5wkA6/0gPIJmMLs85DV8qvIyYxM4kI96r3bXSQVfsD
4EBW10dhWyZAYPYXq11rklLZ+QfEk4EHOXG0pkLR75VPYbhNYbWKIoe9Yhm6UmOW
P4J7kMng4bGOF2Su8/wQ4ZTKS2s++eaJIIyenfJxeJ4yoAldcouVU9eI8NR6P17a
JABen8gXr4CxEaeGLjHBoROr8KVlIeEB1zSMO0jlW+eVteTUN9DjZlciVLtSux01
3AOoTZPDOhyyjsyTMhVveQsTiVgLrBJD3K4gCglimlfcOlzIYhY=
=9QKO
-----END PGP SIGNATURE-----
pgpISgyIBKX1d.pgp
Description: PGP signature
--- End Message ---
