- Package:
- src:erlang
- Source:
- src:erlang
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-05-03 16:34:03 UTC
- Severity:
- normal
- Tags:
Source: erlang Version: 1:27.3.4.6+dfsg-1 Severity: important Tags: security upstream Forwarded: https://github.com/erlang/otp/pull/10706 X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Control: found -1 1:27.3.4.1+dfsg-1 Control: found -1 1:25.2.3+dfsg-1 Control: found -1 1:25.2.3+dfsg-1+deb12u1 Control: found -1 1:25.2.3+dfsg-1+deb12u3 Hi, The following vulnerability was published for erlang. CVE-2026-21620[0]: | Relative Path Traversal, Improper Isolation or Compartmentalization | vulnerability in erlang otp erlang/otp (tftp_file modules), erlang | otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) | allows Relative Path Traversal. This vulnerability is associated | with program files lib/tftp/src/tftp_file.erl, src/tftp_file.erl. | This issue affects otp: from 17.0, from | 07b8f441ca711f9812fad9e9115bab3c3aa92f79; otp: from 5.10 before 7.0; | otp: from 1.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-21620 https://www.cve.org/CVERecord?id=CVE-2026-21620 [1] https://github.com/erlang/otp/security/advisories/GHSA-hmrc-prh3-rpvp [2] https://github.com/erlang/otp/pull/10706 [3] https://github.com/erlang/otp/commit/3970738f687325138eb75f798054fa8960ac354e [4] https://github.com/erlang/otp/commit/655fb95725ba2fb811740b57e106873833824344 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hi, I submitted a salsa MR to fix this CVE in unstable here: https://salsa.debian.org/erlang-team/packages/erlang/-/merge_requests/12 Once it is fixed in unstable I can work on the backport of the fix while it migrates to testing. Let me know if you want to do that by yourself Sergei. Cheers! Lucas Kanashiro
Hi Lucas! I'll upload the new upstream release with the fix shortly. Thank you for the suggestion! Sergei Golovan
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1128651@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <sgolovan@debian.org> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 10 Mar 2026 10:07:09 +0300
Source: erlang
Architecture: source
Version: 1:27.3.4.8+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>
Changed-By: Sergei Golovan <sgolovan@debian.org>
Closes: 1128651
Changes:
erlang (1:27.3.4.8+dfsg-1) unstable; urgency=medium
.
* New upstream release.
* Fix CVE-2026-21620: a bug which allows TFTP to specify a file to download
outside the TFTP root directory (closes: #1128651).
Checksums-Sha1:
2e450bdce2c6a5957b8554dd216bd5dd4cdc9bc3 4910 erlang_27.3.4.8+dfsg-1.dsc
e3c4b759d5a52d47d11636133da4c770f1b52b20 47615816 erlang_27.3.4.8+dfsg.orig.tar.xz
1540e69a71c42026cf3ca16d9e5069adad6971f9 57936 erlang_27.3.4.8+dfsg-1.debian.tar.xz
c896119121b541d66312c5f08a0b470decb8f4e5 31187 erlang_27.3.4.8+dfsg-1_amd64.buildinfo
Checksums-Sha256:
eb6f3ff080379d2580f050e197917c938dd51f6c1bc0845238f9bfc8dee7e054 4910 erlang_27.3.4.8+dfsg-1.dsc
1712c29280d1916e68bee181af95064565c4b90333ea00b82d6c2de318a14e58 47615816 erlang_27.3.4.8+dfsg.orig.tar.xz
da5feee2a0b853e195b6f3d706310649126740a823f6326c5d9be87a5ec70619 57936 erlang_27.3.4.8+dfsg-1.debian.tar.xz
f6827c9bcde889642eaafb4e6502f9917e6edecc3ba4c31c83ce2bc98c35a3ac 31187 erlang_27.3.4.8+dfsg-1_amd64.buildinfo
Files:
653b5b59df48d70f548b2ebd23625d1d 4910 interpreters optional erlang_27.3.4.8+dfsg-1.dsc
e749aaf5b6eb6fabfa30dd122cb90692 47615816 interpreters optional erlang_27.3.4.8+dfsg.orig.tar.xz
9a29e54a524cc727fc65a3ef65933d68 57936 interpreters optional erlang_27.3.4.8+dfsg-1.debian.tar.xz
681ebedfd68c7479cf8fabfb933f62d4 31187 interpreters optional erlang_27.3.4.8+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmmvyxEACgkQTyrk60tj
54coHQ//VEJuUro9Rj4VW5DQIqbsM6QOYnmhWH5VIeAS1VNJR5yHs76ksILEk/wp
Zkq/57c7iV3sPle8+w9QyEl0J1y6MJoyK4uKxswpRl7IrjzIw+j+x8bBWXtuV66U
LKfEj2qtS1KCjn3EfMxK6r5I8mbNJHJbw7cnbrw519XrkyL661SRrobOu9NELawi
rnV0eJ31QOOw+EXk8k4Ap+G1smXrPLbpOMPD7yZsqe74uUZLijdZi6uB3P4UxnHK
wxJ2FlzHl33OPDXC9eeMf3O4zRev9r4RmrTxqx2j3H1QhP5HXEDOJG3Im9wu7usq
1dgqWwJsVatPn+q7v07EJn3IaflbBtPbG7pLj7N6709nnYvpXcxiNV1rq3Xpr14i
Yklt9fD/M3T9miqrDM98xXKJ/Kl8dXmKXGHbE8c06YEf5mFV79LBLU/ZQh2N3bK2
U9TRZ5b6gImChWgapv5zoMNSQ46X5qe9l4aZSEfEEZRjXMUioz2oBfNDishQ6I8f
K5mfaF0CJx/yvNAKNXmgJYhdcOnpB4PRsKi5L9W+Y8YqMvJlX4TRfV82eOyz40Jb
hOkdhUAb11PjUg9bIg07cQloLWCY9nsaG0m3IIfgXF5+sQxM4+a90bOjq7yULI6D
Hgw5aFuGW5tMSoYc5slZICRxIUo5KKH0yXwDq07iHcerXXizzDM=
=+qvP
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1128651@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <sgolovan@debian.org> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 04 Apr 2026 16:45:31 +0300
Source: erlang
Architecture: source
Version: 1:27.3.4.1+dfsg-1+deb13u2
Distribution: trixie
Urgency: medium
Maintainer: Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>
Changed-By: Sergei Golovan <sgolovan@debian.org>
Closes: 1128651 1130912
Changes:
erlang (1:27.3.4.1+dfsg-1+deb13u2) trixie; urgency=medium
.
[ Lucas Kanashiro ]
* Fix CVE-2026-21620.
Relative Path Traversal, Improper Isolation or Compartmentalization
vulnerability in Erlang OTP (tftp_file modules). Closes: #1128651
* Fix CVE-2026-23941.
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in Erlang OTP (inets httpd module) allows HTTP Request
Smuggling.
- d/p/CVE-2026-23941.patch
* Fix CVE-2026-23942.
Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path
Traversal.
- d/p/CVE-2026-23942.patch
* Fix CVE-2026-23943.
Improper Handling of Highly Compressed Data (Compression Bomb)
vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of
Service via Resource Depletion.
- d/p/CVE-2026-23943.patch
Closes: #1130912
Checksums-Sha1:
257dd81488b5a65ccf22b1dc6bc5edbe431a3a0f 4942 erlang_27.3.4.1+dfsg-1+deb13u2.dsc
fd2fb83babb193080dde220b48cd747ecd34e9c1 81592 erlang_27.3.4.1+dfsg-1+deb13u2.debian.tar.xz
009e5c3a9865f14dc8d1ed35385c14f745bc75a5 32187 erlang_27.3.4.1+dfsg-1+deb13u2_amd64.buildinfo
Checksums-Sha256:
b4ea709dcf33f86d488ad2bf6301eb8c47c9adec68f4ea0a86eb1d779ef00c08 4942 erlang_27.3.4.1+dfsg-1+deb13u2.dsc
6d8eb82e8667bdfec2c8acbb910fd5bbbee0b0fb81c198e830fb9c26767ff77c 81592 erlang_27.3.4.1+dfsg-1+deb13u2.debian.tar.xz
8c6813a4d80310eafca9cec6463f7f70bab366f813d1e46cbcf7784fd92b194d 32187 erlang_27.3.4.1+dfsg-1+deb13u2_amd64.buildinfo
Files:
c1940739194f0b92925659034a4cc1b7 4942 interpreters optional erlang_27.3.4.1+dfsg-1+deb13u2.dsc
65f43668662b1c192620f6615ea67701 81592 interpreters optional erlang_27.3.4.1+dfsg-1+deb13u2.debian.tar.xz
f14007a6d5a303ee50b04c9b9ee7b72d 32187 interpreters optional erlang_27.3.4.1+dfsg-1+deb13u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmnRF+QACgkQTyrk60tj
54cayA/6A3puUNhnpsYoUbRvufPT67BVJD/DxlicLRZYKON5leoaYGZJixKhVB2e
12f3E2srfPtTsYhYNlHc8+eFHpse/zaodcjShk+bAULRDn1qlLDTOuk/LCWZ+h9O
OXEHQeGOzNDwINcMlcO4+kQt75dETFCLKqS4kkchPfW7jQBVpwOV2paykafBiWPj
aVAWnD9xhKcVmklrPzpkZkCiXRaDdFVhdARIxoQjI5TVhw5G7JYAHcLl140mCJHB
mhiuYPMFXL3ZggUrgU3Njubs+bM8lBQtvRkg9zRnD+WGdcF7IRJSjEMqedid4zwi
XAxijL5oLYDscqT/eJZ/Iyvc5yMRw8Axfxc4/cVSysMxRkjnv3cWdjG4uLXmFRIQ
TrOXYWRJoNnovvM8yv5tOBRf5rBAyzIK5aJmUIqtYlvYCkA8kF5C6WObC65/2bIq
9ZQ5t/IMWGpjYO5MlNEAQgxY/aF4XgJ2Yd+cx5Kuuv8DG0WQmsIKrnLCTL9Fxi55
u65OntHekTaVwZ1L22D7A9++lrNiwj7bYd33e1BF0Lpsv2ksdl/97ksL31DWllu7
WXo7R/+WRvvsSKOnJimlDNLVZ2aj+v95yF8gxyRLQpNkfJzsHGrK6JyU30ZpffFp
ZKke9/5FRJMMYK1V6A3s5CEQA1xGfuKkDcW7SoZ+nyuOgYVmhJw=
=trvd
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
erlang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1128651@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <sgolovan@debian.org> (supplier of updated erlang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 07 Apr 2026 13:54:55 +0300
Source: erlang
Architecture: source
Version: 1:25.2.3+dfsg-1+deb12u4
Distribution: bookworm
Urgency: medium
Maintainer: Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>
Changed-By: Sergei Golovan <sgolovan@debian.org>
Closes: 1115090 1115091 1115092 1115093 1128651 1130912
Changes:
erlang (1:25.2.3+dfsg-1+deb12u4) bookworm; urgency=medium
.
[ Jochen Sprickerhof ]
* Add salsa-ci
* Add gbp.conf.
Needed to reproduce the orig.tar with empty directories.
* Fix CVE-2025-48038: allocation of resources without limits or throttling
vulnerability in the ssh_sftp module allows excessive allocation,
resource leak exposure (closes: #1115093).
* Fix CVE-2025-48039: allocation of resources without limits or throttling
vulnerability in the ssh_sftp module allows excessive allocation,
resource leak exposure (closes: #1115092).
* Fix CVE-2025-48040: uncontrolled resource consumption vulnerability in
the ssh_sftp module allows excessive allocation, flooding (closes: 1115091).
* Fix CVE-2025-48041: allocation of resources without limits or throttling
vulnerability in the ssh_sftp module allows excessive allocation,
flooding (closes: #1115090).
.
[ Lucas Kanashiro ]
* Fix CVE-2026-23941.
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in Erlang OTP (inets httpd module) allows HTTP Request
Smuggling.
* Fix CVE-2026-23942.
Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path
Traversal.
* Fix CVE-2026-23943.
Improper Handling of Highly Compressed Data (Compression Bomb)
vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of
Service via Resource Depletion.
Closes: #1130912.
.
[ Sergei Golovan ]
* Fix CVE-2026-21620.
Relative Path Traversal, Improper Isolation or Compartmentalization
vulnerability in Erlang/OTP (tftp_file modules) (closes: 1128651).
Checksums-Sha1:
bedec899398c22c0ebf82ea636828d2bbbfe2091 5041 erlang_25.2.3+dfsg-1+deb12u4.dsc
0cadda67ccbfcdf0918b16ec64f548c093c7c9b0 93732 erlang_25.2.3+dfsg-1+deb12u4.debian.tar.xz
f1cb5c49e66bb6c2d002aa6e5c57938f20ddb500 31602 erlang_25.2.3+dfsg-1+deb12u4_amd64.buildinfo
Checksums-Sha256:
f09c13e9ea6c39b371c15148dac3cf2745ff6e3fdfe979758e7780f4a42b04a7 5041 erlang_25.2.3+dfsg-1+deb12u4.dsc
e940fcddc3e83b7e7c740d871aa6c0aec237069ce4589e79f28e1e701900f64d 93732 erlang_25.2.3+dfsg-1+deb12u4.debian.tar.xz
28bc047aab531647be9a728677797e1d106a880e36c308a13d0a1b6f58982de6 31602 erlang_25.2.3+dfsg-1+deb12u4_amd64.buildinfo
Files:
642dab00f18de63bb845513ec5a375d9 5041 interpreters optional erlang_25.2.3+dfsg-1+deb12u4.dsc
153074a5d3941454a2cf0b114dbd9953 93732 interpreters optional erlang_25.2.3+dfsg-1+deb12u4.debian.tar.xz
1a1311ed247f9511a956b6f2330b8f3a 31602 interpreters optional erlang_25.2.3+dfsg-1+deb12u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmn3NCYACgkQTyrk60tj
54ckvw/8Dzl1uAW2Lx5qzq4NGGx0GOVKhrZO2Hb7HoVDdT+TRfwov1xy3O1zvBwL
WYewh82Xy9ajQP2pgch6sb+2QYPcn/pgdGf/ZhqIKf8tsq3R8NOzbhwN6n1lNN+l
rncGH51h7cpH2f/4QcKNOrSsupXJgAVxPdMqDFfun2mz9AitBJx6Of2fmwgCNWjo
WMVgXm4y6NFSFwFcnxVOMkE/5sJXw9gMoB9MMJPJ7ZIOvrGS7niBvpewrPDMegGh
URnc7wYEElikz7Jra3fFoTzR2pn45mojLMkaE4obaf4OPjebbvF5nwTgJxnR5nZM
KRPw2DjM9tZUVCYqGqCAAi5NUjruogpeu5V+EMWOpzZRAHsCHIsJ7hwyGC3B37MI
o6cBBxVxoIN70jp/Nh7n75pNwubPbJCLzisYM1uVpDgotvqgJ6rPYK0ILjPUevkj
Vk9CN08P0zsbi59wxf/xA1y1KlR5mKukDh79VXMHT/wfSqs1Z4SQgcg3hhuMTVtg
MhG6jtzT6w3HU3wRulQF5p7XIzMNhUfmYaVC/u0J5UN9wqjnsNZ1HEpnNeelrdRz
voFAZhueE4EhWwx1gDxV6r1hZvgeLMwivES/bN+Zndr+cLHLhMBGzJc9MSN8uy4P
4/5hqTpDdA2kbQfVxhMQbnJ16ilk1g1A4X52rOe8KqA0w0XbcU4=
=s9qC
-----END PGP SIGNATURE-----