[Buildroot] [PATCH] package/erlang: security bump to v26.2.5.15

Julien Olivain ju.o at free.fr
Mon Oct 6 19:25:12 UTC 2025 

On 06/10/2025 16:15, Titouan Christophe via buildroot wrote:
> See the release notes on
> https://github.com/erlang/otp/releases?q=OTP-26.&expanded=true
> 
> Also, remove patch that is now applied upstream
> 
> This fixes the following vulnerabilities:
> - CVE-2024-53846:
>     OTP is a set of Erlang libraries, which consists of the Erlang 
> runtime
>     system, a number of ready-to-use components mainly written in 
> Erlang,
>     and a set of design principles for Erlang programs. A regression 
> was
>     introduced into the ssl application of OTP starting at 
> OTP-25.3.2.8,
>     OTP-26.2, and OTP-27.0, resulting in a server or client verifying 
> the
>     peer when incorrect extended key usage is presented (i.e., a server
>     will verify a client if they have server auth ext key usage and 
> vice
>     versa).
>     https://www.cve.org/CVERecord?id=CVE-2024-53846
> 
> - CVE-2025-4748:
>     Improper Limitation of a Pathname to a Restricted Directory ('Path
>     Traversal') vulnerability in Erlang OTP (stdlib modules) allows
>     Absolute Path Traversal, File Manipulation. This vulnerability is
>     associated with program files lib/stdlib/src/zip.erl and program
>     routines zip:unzip/1, zip:unzip/2, zip:extract/1, 
> zip:extract/2 unless
>     the memory option is passed.  This issue affects OTP from OTP 17.0
>     until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to
>     stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
>     https://www.cve.org/CVERecord?id=CVE-2025-4748
> 
> - CVE-2025-26618:
>     Erlang is a programming language and runtime system for building
>     massively scalable soft real-time systems with requirements on high
>     availability. OTP is a set of Erlang libraries, which consists of 
> the
>     Erlang runtime system, a number of ready-to-use components mainly
>     written in Erlang. Packet size is not verified properly for SFTP
>     packets. As a result when multiple SSH packets (conforming to max 
> SSH
>     packet size) are received by ssh, they might be combined into an 
> SFTP
>     packet which will exceed the max allowed packet size and 
> potentially
>     cause large amount of memory to be allocated. Note that situation
>     described above can only happen for successfully authenticated 
> users
>     after completing the SSH handshake. This issue has been patched in 
> OTP
>     versions 27.2.4, 26.2.5.9, and 25.3.2.18. There are no known
>     workarounds for this vulnerability.
>     https://www.cve.org/CVERecord?id=CVE-2025-26618
> 
> - CVE-2025-30211:
>     Erlang/OTP is a set of libraries for the Erlang programming 
> language.
>     Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a 
> maliciously
>     formed KEX init message can result with high memory usage.
>     Implementation does not verify RFC specified limits on algorithm 
> names
>     (64 characters) provided in KEX init message. Big KEX init packet 
> may
>     lead to inefficient processing of the error data. As a result, 
> large
>     amount of memory will be allocated for processing malicious data.
>     Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the 
> issue.
>     Some workarounds are available. One may set option `parallel_login` 
> to
>     `false` and/or reduce the `max_sessions` option.
>     https://www.cve.org/CVERecord?id=CVE-2025-30211
> 
> - CVE-2025-32433:
>     Erlang/OTP is a set of libraries for the Erlang programming 
> language.
>     Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a 
> SSH
>     server may allow an attacker to perform unauthenticated remote code
>     execution (RCE). By exploiting a flaw in SSH protocol message
>     handling, a malicious actor could gain unauthorized access to 
> affected
>     systems and execute arbitrary commands without valid credentials. 
> This
>     issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and
>     OTP-25.3.2.20. A temporary workaround involves disabling the SSH
>     server or to prevent access via firewall rules.
>     https://www.cve.org/CVERecord?id=CVE-2025-32433
> 
> - CVE-2025-46712:
>     Erlang/OTP is a set of libraries for the Erlang programming 
> language.
>     In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for
>     OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to
>     enforce strict KEX handshake hardening measures by allowing 
> optional
>     messages to be exchanged. This allows a Man-in-the-Middle attacker 
> to
>     inject these messages in a connection during the handshake. This 
> issue
>     has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12
>     (for OTP-26), and OTP-25.3.2.21 (for OTP-25).
>     https://www.cve.org/CVERecord?id=CVE-2025-46712
> 
> - CVE-2025-48038:
>     Allocation of Resources Without Limits or Throttling vulnerability 
> in
>     Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
>     Resource Leak Exposure. This vulnerability is associated with 
> program
>     files lib/ssh/src/ssh_sftpd.erl.  This issue affects OTP form OTP 
> 17.0
>     until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh 
> from
>     3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
>     https://www.cve.org/CVERecord?id=CVE-2025-48038
> 
> - CVE-2025-48039:
>     Allocation of Resources Without Limits or Throttling vulnerability 
> in
>     Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
>     Resource Leak Exposure. This vulnerability is associated with 
> program
>     files lib/ssh/src/ssh_sftpd.erl.  This issue affects OTP form OTP 
> 17.0
>     until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh 
> from
>     3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
>     https://www.cve.org/CVERecord?id=CVE-2025-48039
> 
> - CVE-2025-48040:
>     Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh
>     (ssh_sftp modules) allows Excessive Allocation, Flooding. This
>     vulnerability is associated with program files
>     lib/ssh/src/ssh_sftpd.erl.  This issue affects OTP form OTP 17.0 
> until
>     OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 
> 3.0.1
>     until 5.3.3, 5.2.11.3 and 5.1.4.12.
>     https://www.cve.org/CVERecord?id=CVE-2025-48040
> 
> - CVE-2025-48041:
>     Allocation of Resources Without Limits or Throttling vulnerability 
> in
>     Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
>     Flooding. This vulnerability is associated with program files
>     lib/ssh/src/ssh_sftpd.erl.  This issue affects OTP form OTP 17.0 
> until
>     OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 
> 3.0.1
>     until 5.3.3, 5.2.11.3 and 5.1.4.12.
>     https://www.cve.org/CVERecord?id=CVE-2025-48041
> 
> NB: Since Erlang is quite a "large" package, containing the language 
> itself,
> some libraries, and some "applications", it's difficult to tell which 
> CVEs
> are exactly affecting Buildroot, but it's a good idea to update anyway
> 
> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>

Applied to master, thanks.

More information about the buildroot mailing list