| Package | erlang |
|---|---|
| Version | 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u3 (stretch), 1:22.2.7+dfsg-1+deb10u2 (buster) |
| Related CVEs | CVE-2023-48795 CVE-2025-26618 CVE-2025-30211 |
Multiple vulnerabilities were found in Erlang/OTP, a set of libraries for the Erlang programming language.
CVE-2023-48795
The SSH transport protocol, as implemented in Erlang, allows remote attackers to bypass integrity
checks such that some packets are omitted (from the extension negotiation message), and
a client and server may consequently end up with a connection for which some security features
have been downgraded or disabled, aka a Terrapin attack
CVE-2025-26618
Packet size is not verified properly for SFTP packets. As a result when multiple SSH packets
(conforming to max SSH packet size) are received by ssh, they might be combined into an
SFTP packet which will exceed the max allowed packet size and potentially cause
large amount of memory to be allocated (causing a Deny of Service).
CVE-2025-30211
A maliciously formed KEX (Key EXchange message for SSH protocol) init message can result
with high memory usage. Implementation does not verify RFC specified limits on algorithm names
(64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient
processing of the error data. As a result, large amount of memory will be allocated
for processing malicious data.For Debian 10 buster, these problems have been fixed in version 1:22.2.7+dfsg-1+deb10u2.
For Debian 9 stretch, these problems have been fixed in version 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u3.
We recommend that you upgrade your erlang packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.