[SECURITY] [DLA 4590-1] erlang security update

Mon, 18 May 2026 17:07:52 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4590-1                [email protected]
https://www.debian.org/lts/security/                      Lucas Kanashiro
May 18, 2026                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : erlang
Version        : 1:23.2.6+dfsg-1+deb11u4
CVE ID         : CVE-2026-21620 CVE-2026-23941 CVE-2026-23942 CVE-2026-23943
Debian Bug     : 1128651 1130912

Multiple vulnerabilities were discoverd in Erlang, a concurrent, real-time,
distributed functional language.

CVE-2026-21620

    Insufficient path sanitizing in tftp_file module.

CVE-2026-23941

    Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
    vulnerability in Erlang OTP (inets httpd module) allows HTTP Request
    Smuggling.

CVE-2026-23942

    Improper Limitation of a Pathname to a Restricted Directory ('Path
    Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path
    Traversal.

CVE-2026-23943

    Improper Handling of Highly Compressed Data (Compression Bomb)
    vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of
    Service via Resource Depletion.

For Debian 11 bullseye, these problems have been fixed in version
1:23.2.6+dfsg-1+deb11u4.

We recommend that you upgrade your erlang packages.

For the detailed security status of erlang please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/erlang

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAmoLqZgACgkQ+COicpiD
yXxF/g/+Kbeo9Fm+eSSnh+HH9lSmMnzJa4eUXjP+0a68/eJdGxDiTPRSQzllypQx
DNH76fgZEPsBogN6l9ssuBw3hWr7e/x2Hvp2H2MTfDW2jVLd6BxIMZN2Ey1QsTn+
/v/SLYGnxadX4vRi9uLOA7WqDOnXUtgJKlJt/GfoXusrTWqCRr8LpD30r5LcUxWX
XuC+cZMxXegPWxLKb15qdjl5oKomXl3+BeJFB2Y+oRk5rN7bDTUigjKB7+hA8f9+
yb/ctZIdPQIXf9W5IOQ2i9aa7UAC025m6w3S9zmicy38J/FD077H+K3tpZlpT9tz
QktlAASxHVc+ClQegLkK6diqO0ygCq6pjlM9kCkrCeOr9rgmzhAF4Rrilt1zRHa7
o4SOMNz8c6wANhc+OsqWmj2Gyxmg7Bl2ZR+rJNU/0+Z0T1xohMs4GrPZP8oCaDV/
sZcMrZ4V6yZacJ/X2/19C3NV4wIGkLndlVA87rlh+oLB9nGZxJx3neIH89OBTD9j
hG6cWKzRDUJE0WWJ+4N5VoSNxP2p+fKuvDB16eKEubZT3jB1Mb3gNnXeMRYUinjw
hLvOJgTJp9PwCt0a7+Ka/uxPVong3BtaLtOlzfELkYQXZutcK1c8uEj/KaXbgDBM
WJwdEw2UO2Z//9VrQlVAZvPJ24uUGaXZEvBXr8fUdDCZdzChq3Y=
=kwYR
-----END PGP SIGNATURE-----

Reply via email to