UbuntuUpdates.org

Package "erlang-crypto"

Name: erlang-crypto

Description:

Erlang/OTP cryptographic modules
Latest version: 1:25.3.2.8+dfsg-1ubuntu4.5
Release: noble (24.04)
Level: updates
Repository: main
Head package: erlang
Homepage: http://www.erlang.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "erlang-crypto"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "erlang-crypto" in Noble

Repository Area Version
base main 1:25.3.2.8+dfsg-1ubuntu4
security main 1:25.3.2.8+dfsg-1ubuntu4.5

Changelog

Version: 1:25.3.2.8+dfsg-1ubuntu4.5 2025-10-22 01:08:41 UTC

  erlang (1:25.3.2.8+dfsg-1ubuntu4.5) noble-security; urgency=medium

  * SECURITY UPDATE: Increased resource consumption in the SSH module.
    - debian/patches/CVE-2025-48038.patch: Add handle_op for file handle length
      string exceeding 256 bytes in lib/ssh/src/ssh_sftpd.erl.
    - debian/patches/CVE-2025-48039.patch: Add max_path option and limits in
      lib/ssh/src/ssh_sftpd.erl.
    - debian/patches/CVE-2025-48040.patch: Add max_log_len in
      lib/ssh/src/ssh_connection.erl. Add Class:Reason0:Stacktrace for decode
      failures in lib/ssh/src/ssh_connection_handler.erl. Add trim_reason and
      max_log_len in lib/ssh/src/ssh_lib.erl. Change decode_kex_init in
      lib/ssh/src/ssh_message.erl. Change kexinit_error and modify Msg in
      lib/ssh/src/ssh_transport.erl.
    - debian/patches/CVE-2025-48041.patch: Add max_handles option and limits in
      lib/ssh/src/ssh_sftpd.erl.
    - CVE-2025-48038
    - CVE-2025-48039
    - CVE-2025-48040
    - CVE-2025-48041

 -- Hlib Korzhynskyy <email address hidden> Fri, 17 Oct 2025 12:53:40 -0230
Source diff to previous version
CVE-2025-48038 Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Ex
CVE-2025-48039 Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Ex
CVE-2025-48040 Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is ass
CVE-2025-48041 Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This v

Version: 1:25.3.2.8+dfsg-1ubuntu4.4 2025-07-21 17:20:03 UTC

  erlang (1:25.3.2.8+dfsg-1ubuntu4.4) noble-security; urgency=medium

  * SECURITY UPDATE: insufficient strict KEX handshake hardening measures
    - debian/patches/CVE-2025-46712-1.patch: add KEX strict implementation
      fixes in lib/ssh/src/ssh_connection_handler.erl,
      lib/ssh/src/ssh_fsm_kexinit.erl, lib/ssh/src/ssh_transport.erl,
      lib/ssh/test/ssh_protocol_SUITE.erl,
      lib/ssh/test/ssh_trpt_test_lib.erl.
    - CVE-2025-46712
  * SECURITY UPDATE: path traversal and other issues in zip
    - debian/patches/CVE-2025-4748.patch: properly sanitize filenames when
      (un)zipping in lib/stdlib/src/zip.erl, lib/stdlib/test/zip_SUITE.erl.
    - CVE-2025-4748

 -- Marc Deslauriers <email address hidden> Thu, 10 Jul 2025 11:10:28 -0400
Source diff to previous version
CVE-2025-46712 Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and O
CVE-2025-4748 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Trav

Version: 1:25.3.2.8+dfsg-1ubuntu4.3 2025-04-18 14:09:11 UTC

  erlang (1:25.3.2.8+dfsg-1ubuntu4.3) noble-security; urgency=medium

  * SECURITY UPDATE: Unauthenticated Remote Code Execution in SSH
    - debian/patches/CVE-2025-32433.patch: disconnect when connection
      protocol message arrives when user is not authenticated for
      connection in lib/ssh/src/ssh_connection.erl,
      lib/ssh/test/ssh_protocol_SUITE.erl.
    - CVE-2025-32433

 -- Marc Deslauriers <email address hidden> Wed, 16 Apr 2025 14:21:37 -0400
Source diff to previous version
CVE-2025-32433 Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server ma

Version: 1:25.3.2.8+dfsg-1ubuntu4.2 2025-04-08 18:07:36 UTC

  erlang (1:25.3.2.8+dfsg-1ubuntu4.2) noble-security; urgency=medium

  * SECURITY UPDATE: denial of service
    - debian/patches/CVE-2025-30211-1.patch: reduce log processing for
      plain connections.
    - debian/patches/CVE-2025-30211-2.patch: ignore too long names.
    - debian/patches/CVE-2025-30211-3.patch: use chars_limit for bad
      packets error messages.
    - debian/patches/CVE-2025-30211-4.patch: custom_kexinit test added.
    - CVE-2025-30211

 -- Fabian Toepfer <email address hidden> Wed, 02 Apr 2025 19:25:37 +0200
Source diff to previous version
CVE-2025-30211 Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KE

Version: 1:25.3.2.8+dfsg-1ubuntu4.1 2025-03-03 21:07:02 UTC

  erlang (1:25.3.2.8+dfsg-1ubuntu4.1) noble-security; urgency=medium

  * SECURITY UPDATE: incorrect SSH packet size check
    - debian/patches/CVE-2025-26618.patch: sftp reject packets exceeding
      limit in lib/ssh/src/ssh_sftpd.erl.
    - CVE-2025-26618

 -- Marc Deslauriers <email address hidden> Thu, 27 Feb 2025 10:51:40 -0500
CVE-2025-26618 Erlang is a programming language and runtime system for building massively scalable soft real-time systems with requirements on high availability. OT


About   -   Send Feedback to @ubuntu_updates