Debian Patches

Status for erlang/1:25.2.3+dfsg-1+deb12u4

Patch Description Author Forwarded Bugs Origin Last update
clean.patch clean.patch by Sergei Golovan <sgolovan@nes.ru>

Erlang leaves many files after make clean. This patch contains
a hack to remove them.		 no
gnu.patch (1) Defines GNU macros not only for Linux but also for any system
with 'gnu' substring in OS name. Fixes FTBFS on GNU/kFreeBSD and GNU/Hurd.

(2) Undefines BSD4_4 for os_mon application for GNU/Hurd;

(3) Undefines AF_LINK for GNU/Hurd;

(4) Switches some PATH_MAX occurrences to MAXPATHLEN;

(5) Adds a workaround for 'erlc -M | sed' being stuck for GNU/Hurd.		 Pino Toscano <pino@debian.org> no
man.patch man.patch by Francois-Denis Gonthier <neumann@lostwebsite.net>

Patch allows one to use standard man path with erl -man command.
(Erlang manual pages are placed to /usr/share/man/ hierarchy
as required by Debian policy.)		 no
emacs.patch Patch by Balint Reczey <balint@balintreczey.hu> fixes backquote
syntax (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494823).
Also, it fixes manpage name regexp matching only 3erl manpages in
section 3.		 no
docs.patch Fixes a bug with .RE macro in the Erlang manpages and a few bugs with docs installation. Sergei Golovan <sgolovan@debian.org> no
java.patch GCJ 4.4 passes the test for JDK 1.5 but doesn't implement String#String(int[], int, int) constructor, which breaks jinterface
build. This patch adds a check for the definition of this constructor.
It helps to build Erlang on architectures without openjdk-6 available.		 Sergei Golovan <sgolovan@debian.org> invalid
javascript.patch no
x32.patch This patch fixes FTBFS for x86_x32 architecture (x86_64 with 32-bit integers, longs and pointers). Sergei Golovan no
ssh-KEX-strict.patch ssh: KEX strict The patch strictenes KEX to avoid disabling or downgrading
security features for the connection.
- negotiate "strict KEX" OpenSSH feature
- when negotiated between peers apply strict KEX
- related tests
- print_seqnums fix in ssh_trtp test code		 Jakub Witczak <kuba@erlang.org> no debian https://github.com/erlang/otp/commit/ee67d46285394db95133709cef74b0c462d665aa 2023-12-15
ssh-sftp-reject-packets-exceeding-limit.patch ssh: sftp reject packets exceeding limit Jakub Witczak <kuba@erlang.org> no https://github.com/erlang/otp/commit/0ed2573cbd55c92e9125c9dc70fa1ca7fed82872 2025-02-06
ssh-reduce-log-processing-for-plain-connections.patch ssh: reduce log processing for plain connections - avoid unnecessary data processing Jakub Witczak <kuba@erlang.org> no debian https://github.com/erlang/otp/commit/df3aad2c5570847895562ff96a725190571f028c 2025-03-13
ssh-ignore-too-long-names.patch ssh: ignore too long names The patch makes Erlang SSH application ignore long
algorithm names in order to fix denial of service because
of high memory consumption.		 Jakub Witczak <kuba@erlang.org> no debian https://github.com/erlang/otp/commit/655e20a49ef80431e86ffb6c7f366d01fd4b64c3 2025-03-21
ssh-use-chars_limit-for-bad-packets-error-messages.patch ssh: use chars_limit for bad packets error messages The patch limits the length of error messages sent in reply
to very long invalid packets.		 Jakub Witczak <kuba@erlang.org> no debian https://github.com/erlang/otp/commit/d64d9fb0688092356a336e38a8717499113312a0 2025-03-21
ssh-custom_kexinit-test-added.patch ssh: custom_kexinit test added The test uses big KEX init packet which causes large memory
consumption for Erlang prior to 25.3.2.19		 Jakub Witczak <kuba@erlang.org> no debian https://github.com/erlang/otp/commit/5ee26eb412a76ba1c6afdf4524b62939a48d1bce 2025-03-24
ssh-early-RCE-fix.patch ssh: early RCE fix The patch fixes remote code execution (RCE) by an unauthenticated user.
- disconnect when connection protocol message arrives
- when user is not authenticated for connection
- see RFC4252 sec.6		 Jakub Witczak <kuba@erlang.org> no debian https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12 2025-04-14
ssh-strict-KEX-exchange-hardening.patch ssh: KEX strict implementation fixes - fixed KEX strict implementation
- draft-miller-sshm-strict-kex-01.txt
- ssh_dbg added to ssh_fsm_kexinit module
- CVE-2025-46712		 Jakub Witczak <kuba@erlang.org> no debian https://github.com/erlang/otp/commit/e4b56a9f4a511aa9990dd86c16c61439c828df83 2025-05-06
zip-sanitize-paths.patch stdlib: Properly sanatize filenames when (un)zipping According to the Zip APPNOTE filenames "MUST NOT contain a drive or
device letter, or a leading slash.". So we strip those when zipping
and unzipping.		 Lukas Backstrom <lukas@erlang.org> no debian https://github.com/erlang/otp/commit/ee67d46285394db95133709cef74b0c462d665aa 2025-05-27
xslt-for-each.patch Patch fixes redefinition of an XSLT variable inside a for-each loop. Sergei Golovan no
CVE-2025-48038.patch ssh: verify file handle size limit for client data
- reject handles exceeding 256 bytes (as specified for SFTP)		 Jakub Witczak <kuba@erlang.org> no https://github.com/erlang/otp/commit/f09e0201ff701993dc24a08f15e524daf72db42f 2025-08-27
CVE-2025-48039.patch ssh: ssh_sftpd verify path size for client data
- reject max_path exceeding the 4096 limit or according to other option value		 Jakub Witczak <kuba@erlang.org> no https://github.com/erlang/otp/commit/043ee3c943e2977c1acdd740ad13992fd60b6bf0 2025-07-11
CVE-2025-48040.patch ssh: key exchange robustness improvements
- reduce untrusted data processing for non-debug logs
- trim badmatch exceptions to avoid processing potentially malicious data
- terminate with kexinit_error when too many algorithms are received in KEX init message		 Jakub Witczak <kuba@erlang.org> no https://github.com/erlang/otp/commit/548f1295d86d0803da884db8685cc16d461d0d5a 2025-08-20
CVE-2025-48041.patch ssh: max_handles option added to ssh_sftpd
- add max_handles option and update tests (1000 by default)
- remove sshd_read_file redundant testcase		 Jakub Witczak <kuba@erlang.org> no https://github.com/erlang/otp/commit/d49efa2d4fa9e6f7ee658719cd76ffe7a33c2401 2025-08-20
CVE-2026-23941.patch Merge branch 'whaileee/inets/httpd/http-request-smuggling/OTP-20007' into maint-27

* whaileee/inets/httpd/http-request-smuggling/OTP-20007:
Prevent httpd from parsing HTTP requests when multiple Content-Length headers are present		 Erlang/OTP <otp@erlang.org> no debian upstream, https://github.com/erlang/otp/commit/a761d391d8d08316cbd7d4a86733ba932b73c45b 2026-03-12
CVE-2026-23942.patch Merge branch 'kuba/maint-27/ssh/sftp_path/OTP-20009' into maint-27
* kuba/maint-27/ssh/sftp_path/OTP-20009:
ssh: Fix path traversal vulnerability in ssh_sftpd root directory validation		 Erlang/OTP <otp@erlang.org> no debian backport, https://github.com/erlang/otp/commit/9e0ac85d3485e7898e0da88a14be0ee2310a3b28 2026-03-12
CVE-2026-23943.patch Merge branch 'michal/maint-27/ssh/fix-unbounded-zlib-inflate/OTP-20011' into maint-27

* michal/maint-27/ssh/fix-unbounded-zlib-inflate/OTP-20011:
Add test for post-authentication compression
Add information about compression-based attacks to hardening guide
Adjust documentation to mention that zlib is disabled by default
Add tests that verify we disconnect on too large decompressed data
Always run compression test
Disable zlib by default and limit size of decompressed data		 Erlang/OTP <otp@erlang.org> no debian backport, https://github.com/erlang/otp/commit/93073c3bd338c60cd2bae715ce6a1d4ffc1a8fd3 2026-03-12
CVE-2026-21620.patch Patch fixes CVE-2026-21620
Ensure that relative path components does not allow
a requested file name to go outside the configured root_dir.

root_dir should be checked to be a directory and absolute.

If root_dir is used, Filename should be checked to be
relative under root_dir.		 Upstream no 2026-02-10

All known versions for source package 'erlang'

Links