Your message dated Fri, 12 Jun 2026 18:19:43 +0000
with message-id <[email protected]>
and subject line Bug#1124853: fixed in erlang 1:29.0.2+dfsg-1
has caused the Debian Bug report #1124853,
regarding erlang: please build using the default build flags
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124853: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124853
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: erlang
Version: 1:27.3.4.6+dfsg-1
User: [email protected]
Usertags: hardening-buildflags
erlang is not currently using the default build flags set by dpkg-buildflags(1).
The default flags are chosen for multiple reasons including security,
performance, reproducibility, adherence to standards, and error handling.
Please make sure that erlang builds using the default build flags. blhc(1p)
and hardening-check(1) can be used to confirm that the issue is fixed.
In the general case, packages honoring CFLAGS, LDFLAGS, and other
similar environment variables get the default build flags for free
without the need for any work on the maintainer side. In the case of
erlang, the flags are either ignored or overridden.
The most common reasons for this are:
Hand-written Makefiles
----------------------
Some upstream Makefiles either override the values of variables such as
CFLAGS and similar or do not use them at all. See:
https://wiki.debian.org/HardeningWalkthrough#Handwritten_Makefiles
Misconfigured build systems
---------------------------
If the upstream code uses autotools, CMake, or other popular build
systems, it usually requires no further modifications. If might however
be that some variables are hardcoded in some way.
In this CMake snippet, the value of CXXFLAGS is overwritten with "-O2":
set(CMAKE_CXX_FLAGS "-O2")
If the intention is to append to CXXFLAGS, one should use the following
instead:
set(CMAKE_CXX_FLAGS "-O2 ${CMAKE_CXX_FLAGS}")
See #655870 for a similar autotools example.
Very old debhelper usage
------------------------
Packages not using dh(1), or those using a debhelper compatibility level
less than 9, need to manually include /usr/share/dpkg/buildflags.mk in
order for the dpkg-buildflags variables to be set:
https://wiki.debian.org/Hardening#dpkg-buildflags
Flags hardcoded in debian/rules (either voluntarily or not)
-----------------------------------------------------------
Some packages voluntarily hardcode the values of CFLAGS and friends in
debian/rules, ignoring the defaults set by dpkg-buildflags(1).
Others attempt to append to the variables, but end up accidentally
overriding the defaults:
#!/usr/bin/make -f
export CFLAGS += -pipe -fPIC -Wall
%:
dh $@
Debhelper only sets CFLAGS if it is not set yet. In the example above,
when dh is invoked the value of CFLAGS is "-pipe -fPIC -Wall", hence the
hardened defaults are not used. The right way to append to CFLAGS is
using DEB_CFLAGS_MAINT_APPEND instead, as documented in
dpkg-buildflags(1).
For a detailed analysis of this issue, see https://hal.science/hal-05334704/
--- End Message ---
--- Begin Message ---
Source: erlang
Source-Version: 1:29.0.2+dfsg-1
Done: Sergei Golovan <[email protected]>
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <[email protected]> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 12 Jun 2026 20:36:06 +0300
Source: erlang
Architecture: source
Version: 1:29.0.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Erlang Packagers <[email protected]>
Changed-By: Sergei Golovan <[email protected]>
Closes: 1045018 1124853 1139727 1139823
Changes:
erlang (1:29.0.2+dfsg-1) unstable; urgency=medium
.
* New upstream release.
- Fix CVE-2026-48855: Exposure of Sensitive Information to an Unauthorized
Actor vulnerability in Erlang OTP ssh application (ssh_sftpd module).
- Fix CVE-2026-48856: Sensitive Data Exposure vulnerability in Erlang OTP
inets application (httpc_response module).
- Fix CVE-2026-48858: Server-Side Request Forgery (SSRF) vulnerability in
Erlang/OTP ftp application (ftp_internal module).
- Fix CVE-2026-48859: Observable Timing Discrepancy vulnerability in
Erlang/OTP ssh application (ssh_auth, ssh_options modules).
- Fix CVE-2026-48860: Reliance on IP Address for Authentication
vulnerability in Erlang/OTP ssl application (inet_tls_dist module).
- Fix CVE-2026-49759: Stack-based Buffer Overflow vulnerability in Erlang
OTP erts (inet_drv).
- Fix CVE-2026-49760: Stack-based Buffer Overflow vulnerability in Erlang
OTP (erl_interface).
Closes: #1139727, #1139823.
* Drop dependencies of erlang-jinterface on java1-runtime-headless,
java1-runtime because they don't exist anymore.
* Drop providing erlang-pcre by erlang-base because it is not used by
any package and is not necessary anymore.
* Promote libsctp1 from recommends to depends because erl now emits a
warning if it cannot find the libsctp library, which make some packages
that build depend on Erlang FTBFS.
* Add a patch which fixes enabling build of odbcserver.
* Add pkgconf and libglib2.0-dev to the build dependencies for erlang-wx.
* Refine interdependencies of the binary packages.
* Use the default build flags (closes: #1124853).
* Clean up the code which stops epmd on erlang-base removal/upgrade.
* Do more thorough cleanup after building the package (closes: #1045018).
* Fix debian/watch to sort upstream version 29.0 after 29.0-rc3.
* Fix collecting examples which are now installed along with the
documentation, make links to them in the erlang-doc package.
* Switch from ronn to the internal manpage generation escript for
generating manpages in section 1.
* Add symlink /usr/lib/erlang/man to the Erlang manpages in the erlang-doc
package.
* Compress manpages in the erlang-doc package.
* Use -n option for gzip when compressing manpages for reproducibility.
* Do not remove id from the EPUB contents files in docs, just replace it
by a deterministic value.
* Replace echo by printf in the makefile for generating docs because
sometimes echo "\n" prints literal \n for reproducibility.
* Move HTML and EPUB docs directly to the /usr/share/doc/erlang-doc
directory.
* Respect SOURCE_DATE_EPOCH when generating footers of HTML docs for
reproducibility.
Checksums-Sha1:
b0494f5c21cb7ecbc9e54ede7bbd342548288ef6 5002 erlang_29.0.2+dfsg-1.dsc
2199eb78fd3f51eaa690e38a1467873683a04456 49253348
erlang_29.0.2+dfsg.orig.tar.xz
57531eb6509af98678d84a85ee5b40f782d3b667 61932
erlang_29.0.2+dfsg-1.debian.tar.xz
e4ddd32871955ef3c0341672d3cf1c7477992ddd 32569
erlang_29.0.2+dfsg-1_amd64.buildinfo
Checksums-Sha256:
b1ac5e8c01b6f7828fe7283492a2d4201a58bce158c3b12268b2302d4d87d0b5 5002
erlang_29.0.2+dfsg-1.dsc
14c1277b6ac0c6940952d253389dc04b1bf129c30a77567d99c99c9d5592eb42 49253348
erlang_29.0.2+dfsg.orig.tar.xz
bf585df968de5f14d5fdf163b8b45011a454549d2f159c38eab13812f65a8141 61932
erlang_29.0.2+dfsg-1.debian.tar.xz
62c4631305af5e752b9a04f845ca2da5e5cd417ceb3591134cbe50da27a576ea 32569
erlang_29.0.2+dfsg-1_amd64.buildinfo
Files:
a9202e0fd46291c6001632880d373ec3 5002 interpreters optional
erlang_29.0.2+dfsg-1.dsc
6dd10e3f187393805df50ec099f3f158 49253348 interpreters optional
erlang_29.0.2+dfsg.orig.tar.xz
4fdbf975ed79957231f6b11987d3ae5d 61932 interpreters optional
erlang_29.0.2+dfsg-1.debian.tar.xz
7174d95200c893b3e5f7d12f2c53fc5b 32569 interpreters optional
erlang_29.0.2+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmosSVQACgkQTyrk60tj
54eE3hAAv1aMx0iOdUogBWWqwa4vs6mQvKCkTE5D0q1pq3s4LuMbeyHjel92A/lW
cWN1Q+XyZiyxvt26F5HNkY8q7W0AiNj1Y9C26cjENHew2ysUXzmQT5SxeUir/2A7
rUA62M4eT9RYZTM5DW9iRBILMlDogqDGE03RIF/4ltFYofBwkJhDW9Cn11PjNqqx
PWGn0UyBT0qD1VQXnH7fJUumAoJc2SEXASuMdnJboWyb1qDNvkGhk/LrjF4L34N1
ybgVBsMkmXn7/oypPtPGFMpB4adqUdXcfpxYfW0jhpb0tIuUDJn1gqcM17Cxi7HE
zXfIJ9MhFYz+rQ59f/MEQen0L7/u1JIhGO3sq25f+L4DeQEG9ofzW4gvI+cyTzir
cN0PB7W3qdgqlVe0bwvKAMFaI5Otg6OJIz3mkry5Ar4CaxKHEXaWO9MvoWmm0DjD
dzZlIpnZ0qPTQ3nwopXlEpekgVIVK+Ice8wRPIxBJJDoA56mAU9a45QRz+vphUMT
H5BXSp1mgXz+PuUpu35sLeQNHEX12f40dJ14j+OopgpkU52UjOidh2Z2rXD9UgUB
7C5n1VehFmebFKla127IamcbFxTIer7wlXKdopUk9wb/Obrwc9dUYoJorRZYcbBk
NKkSSZL550xYngOq2y6mP/vnSSncViqc1XuPmQYn4cMuQ96ljjg=
=SxVz
-----END PGP SIGNATURE-----
pgpqgYFhigURe.pgp
Description: PGP signature
--- End Message ---