Your message dated Fri, 19 Jun 2026 10:20:33 +0000
with message-id <[email protected]>
and subject line Bug#1136649: fixed in erlang-cowlib 2.17.1-1
has caused the Debian Bug report #1136649,
regarding erlang-cowlib: CVE-2026-43970
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136649: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136649
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: erlang-cowlib
Version: 1.3.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for erlang-cowlib.
CVE-2026-43970[0]:
| Improper Handling of Highly Compressed Data (Data Amplification)
| vulnerability in ninenines cowlib allows unauthenticated remote
| denial of service via memory exhaustion. cow_spdy:inflate/2 in
| cowlib passes peer-supplied compressed bytes directly to
| zlib:inflate/2 with no output size bound. The SPDY header
| compression dictionary (?ZDICT) is public, and zlib compresses long
| runs of repeated bytes at roughly 1024:1, so a few kilobytes of SPDY
| frame payload can decompress to gigabytes on the BEAM heap, OOM-
| killing the node. A single unauthenticated SPDY frame is sufficient
| to trigger the condition. The parsers for syn_stream, syn_reply, and
| headers frame types are all affected via cow_spdy:parse_headers/2.
| This issue affects cowlib from 0.1.0 before 2.16.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-43970
https://www.cve.org/CVERecord?id=CVE-2026-43970
[1] https://cna.erlef.org/cves/CVE-2026-43970.html
[2] https://osv.dev/vulnerability/EEF-CVE-2026-43970
[3]
https://github.com/ninenines/cowlib/commit/16aad3fb9f81f5cda4d1706ff0c54237c619c282
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: erlang-cowlib
Source-Version: 2.17.1-1
Done: Sergei Golovan <[email protected]>
We believe that the bug you reported is fixed in the latest version of
erlang-cowlib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <[email protected]> (supplier of updated erlang-cowlib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 19 Jun 2026 13:06:40 +0300
Source: erlang-cowlib
Architecture: source
Version: 2.17.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Erlang Packagers <[email protected]>
Changed-By: Sergei Golovan <[email protected]>
Closes: 1064932 1073092 1136446 1136649
Changes:
erlang-cowlib (2.17.1-1) unstable; urgency=medium
.
* New upstream release (closes: #1064932).
- Fix for CVE-2026-7790: Uncontrolled Resource Consumption
vulnerability in ninenines cowlib application, cow_http_te module
(closes: #1136446).
- Fix for CVE-2026-43970: Improper Handling of Highly Compressed
Data (Data Amplification) vulnerability in ninenines cowlib
application (closes: #1136649).
* Drop a no longer necessary patch.
* Drop build dependency on markdown (closes: #1073092).
* Add myself to uploaders.
* Bump debhelper compatibility level to 13.
* Bump standards version to 4.7.4.
* Bump debian/watch version to 4.
Checksums-Sha1:
5110b3ad1c5547a97ed92b5dc17bae4c2e42a4b2 2030 erlang-cowlib_2.17.1-1.dsc
728b60ffabd6d372d8ce659956d52bde4f3b546b 214393
erlang-cowlib_2.17.1.orig.tar.gz
aee0e581e53ea3b1cf384b3d1725870cb0c20a58 2636
erlang-cowlib_2.17.1-1.debian.tar.xz
73b73f4a48713864543d675697994ffc2213c976 6768
erlang-cowlib_2.17.1-1_amd64.buildinfo
Checksums-Sha256:
0cf6618aced555360622c754d4086b2fab41af32e80268cce9d8ed76e1426474 2030
erlang-cowlib_2.17.1-1.dsc
5f373a2f9421480db17381c29d4bddbbeb5e45849a14a579b04060fb7be94327 214393
erlang-cowlib_2.17.1.orig.tar.gz
d517cf10e494ab79f2eea9f82c07c80f672b5c23c399d3eafe73aa44a3e8d115 2636
erlang-cowlib_2.17.1-1.debian.tar.xz
0420663387ff95865e7f1327d6c0c5563174780d9e2430163b4e62a3ea0a37dd 6768
erlang-cowlib_2.17.1-1_amd64.buildinfo
Files:
1044d8166833211f7980a7c77f691dd6 2030 devel optional erlang-cowlib_2.17.1-1.dsc
a2ded2efa86fe07e7606a74299958b0b 214393 devel optional
erlang-cowlib_2.17.1.orig.tar.gz
28c18be2f5ca753eaf4dbd96c3309fca 2636 devel optional
erlang-cowlib_2.17.1-1.debian.tar.xz
9fa8d1436e87379b92a03b83393ea709 6768 devel optional
erlang-cowlib_2.17.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmo1FQUACgkQTyrk60tj
54ehJBAAqWxJzfuV2j+aapmzPMGNyiLgypzObvQkR3gBgee5CJI/Yu106Sn6e2FD
WtGvM1XQnr0sprnPM5Nnnun2j+lMEXj+uZPUMxgnNsWAvf8SLH1sM+u7CYnujtus
t9/1j5Zd+inXDfAD3mLc0haNfDNGVFkQPXDbhVhTtb6ngJUXc2tduklRzx7RAso9
8I2uWsUZ520nfrQqUxsPDKemGdNy5wrB/ZKgMlud5NpmlsZrJjq+Lo5qHzQU6gRS
LrLgfNraVE8iiqV42SqAZyA1femn6nzRDCuMWB1iT20U3yNi5hKRMC6HKCIOCVx7
lcUL/lbYoXxk+N/OXb/TjGoNi8PehvDwCBCek6aQRjDBZRVmz/C2lrgXRv+rkLv8
MMPjSF0L4CsPQX20kKR4/cSXHriympkYvi0mFUMWMGW8R/lhbVs5v6QclxVGjMdy
ljuXm9KFsyO7m7YxHwxAxi8vEsmWl3x3Roqf6Pv+rcnbvgwz16xzWL3/BYNHUF46
nxFk77UJKDK8RAAbCqavR1hIjL/b7ZEKqj7Vp8FPJGwbLZ4WHS7QPsEYMLtlg6jR
6nSB1QrKuL2xFvnz1a0Mjfn0ZwHsYCyXovWLRBQt8OH5fek5NrDIpWjJGGsxPbrb
XIu/xacKbM4B8rYoe8Slcglk8ahbaCHVYX+GDUgmXzpu6xBn3Ck=
=4fGI
-----END PGP SIGNATURE-----
pgpGX2sRf7XSi.pgp
Description: PGP signature
--- End Message ---
