-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Apr 2026 13:54:55 +0300
Source: erlang
Architecture: source
Version: 1:25.2.3+dfsg-1+deb12u4
Distribution: bookworm
Urgency: medium
Maintainer: Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>
Changed-By: Sergei Golovan <sgolovan@debian.org>
Closes: 1115090 1115091 1115092 1115093 1128651 1130912
Changes:
 erlang (1:25.2.3+dfsg-1+deb12u4) bookworm; urgency=medium
 .
   [ Jochen Sprickerhof ]
   * Add salsa-ci
   * Add gbp.conf.
     Needed to reproduce the orig.tar with empty directories.
   * Fix CVE-2025-48038: allocation of resources without limits or throttling
     vulnerability in the ssh_sftp module allows excessive allocation,
     resource leak exposure (closes: #1115093).
   * Fix CVE-2025-48039: allocation of resources without limits or throttling
     vulnerability in the ssh_sftp module allows excessive allocation,
     resource leak exposure (closes: #1115092).
   * Fix CVE-2025-48040: uncontrolled resource consumption vulnerability in
     the ssh_sftp module allows excessive allocation, flooding (closes: 1115091).
   * Fix CVE-2025-48041: allocation of resources without limits or throttling
     vulnerability in the ssh_sftp module allows excessive allocation,
     flooding (closes: #1115090).
 .
   [ Lucas Kanashiro ]
   * Fix CVE-2026-23941.
     Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
     vulnerability in Erlang OTP (inets httpd module) allows HTTP Request
     Smuggling.
   * Fix CVE-2026-23942.
     Improper Limitation of a Pathname to a Restricted Directory ('Path
     Traversal') vulnerability in Erlang OTP (ssh_sftpd module) allows Path
     Traversal.
   * Fix CVE-2026-23943.
     Improper Handling of Highly Compressed Data (Compression Bomb)
     vulnerability in Erlang OTP ssh (ssh_transport modules) allows Denial of
     Service via Resource Depletion.
     Closes: #1130912.
 .
   [ Sergei Golovan ]
   * Fix CVE-2026-21620.
     Relative Path Traversal, Improper Isolation or Compartmentalization
     vulnerability in Erlang/OTP (tftp_file modules) (closes: 1128651).
Checksums-Sha1:
 bedec899398c22c0ebf82ea636828d2bbbfe2091 5041 erlang_25.2.3+dfsg-1+deb12u4.dsc
 0cadda67ccbfcdf0918b16ec64f548c093c7c9b0 93732 erlang_25.2.3+dfsg-1+deb12u4.debian.tar.xz
 f1cb5c49e66bb6c2d002aa6e5c57938f20ddb500 31602 erlang_25.2.3+dfsg-1+deb12u4_amd64.buildinfo
Checksums-Sha256:
 f09c13e9ea6c39b371c15148dac3cf2745ff6e3fdfe979758e7780f4a42b04a7 5041 erlang_25.2.3+dfsg-1+deb12u4.dsc
 e940fcddc3e83b7e7c740d871aa6c0aec237069ce4589e79f28e1e701900f64d 93732 erlang_25.2.3+dfsg-1+deb12u4.debian.tar.xz
 28bc047aab531647be9a728677797e1d106a880e36c308a13d0a1b6f58982de6 31602 erlang_25.2.3+dfsg-1+deb12u4_amd64.buildinfo
Files:
 642dab00f18de63bb845513ec5a375d9 5041 interpreters optional erlang_25.2.3+dfsg-1+deb12u4.dsc
 153074a5d3941454a2cf0b114dbd9953 93732 interpreters optional erlang_25.2.3+dfsg-1+deb12u4.debian.tar.xz
 1a1311ed247f9511a956b6f2330b8f3a 31602 interpreters optional erlang_25.2.3+dfsg-1+deb12u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAmn3NCYACgkQTyrk60tj
54ckvw/8Dzl1uAW2Lx5qzq4NGGx0GOVKhrZO2Hb7HoVDdT+TRfwov1xy3O1zvBwL
WYewh82Xy9ajQP2pgch6sb+2QYPcn/pgdGf/ZhqIKf8tsq3R8NOzbhwN6n1lNN+l
rncGH51h7cpH2f/4QcKNOrSsupXJgAVxPdMqDFfun2mz9AitBJx6Of2fmwgCNWjo
WMVgXm4y6NFSFwFcnxVOMkE/5sJXw9gMoB9MMJPJ7ZIOvrGS7niBvpewrPDMegGh
URnc7wYEElikz7Jra3fFoTzR2pn45mojLMkaE4obaf4OPjebbvF5nwTgJxnR5nZM
KRPw2DjM9tZUVCYqGqCAAi5NUjruogpeu5V+EMWOpzZRAHsCHIsJ7hwyGC3B37MI
o6cBBxVxoIN70jp/Nh7n75pNwubPbJCLzisYM1uVpDgotvqgJ6rPYK0ILjPUevkj
Vk9CN08P0zsbi59wxf/xA1y1KlR5mKukDh79VXMHT/wfSqs1Z4SQgcg3hhuMTVtg
MhG6jtzT6w3HU3wRulQF5p7XIzMNhUfmYaVC/u0J5UN9wqjnsNZ1HEpnNeelrdRz
voFAZhueE4EhWwx1gDxV6r1hZvgeLMwivES/bN+Zndr+cLHLhMBGzJc9MSN8uy4P
4/5hqTpDdA2kbQfVxhMQbnJ16ilk1g1A4X52rOe8KqA0w0XbcU4=
=s9qC
-----END PGP SIGNATURE-----