Hi, On Mon, Mar 31, 2025 at 12:12:31PM +0300, Sergei Golovan wrote: > Control: tag 1101713 + pending > > Hi Salvatore, > > On Sun, Mar 30, 2025 at 10:51 PM Salvatore Bonaccorso <[email protected]> > wrote: > > > > Hi, > > > > The following vulnerability was published for erlang. > > > > CVE-2025-30211[0]: > > | Erlang/OTP is a set of libraries for the Erlang programming > > | language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a > > | maliciously formed KEX init message can result with high memory > > | usage. Implementation does not verify RFC specified limits on > > | algorithm names (64 characters) provided in KEX init message. Big > > | KEX init packet may lead to inefficient processing of the error > > | data. As a result, large amount of memory will be allocated for > > | processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and > > | OTP-25.3.2.19 fix the issue. Some workarounds are available. One may > > | set option `parallel_login` to `false` and/or reduce the > > | `max_sessions` option. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > I'll upload 27.3.1 in a few days. Does it make sense to backport the fix > from 25.3.2.19 to erlang in stable?
Thanks. Yes the unstable upload sounds good, and to make sure it will migrate as well to testing. For stable, I guess we still need to check if it will be important enough to release via a DSA or if a point release update will be enough. Let's check after the unstable upload has been done. Regards, Salvatore
