Vulnerability Details
Basic Information
| Title | [SECURITY] [DLA 4132-1] erlang security update |
|---|---|
| Type | debian |
| Published | 2025-04-20T23:48:59 |
| Last Seen | 2025-04-21T07:55:44 |
| CVSS Score | 10.0 (CRITICAL) |
CVSS v3 Details
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
CVE Information
| CVE IDs | CVE-2023-48795, CVE-2025-26618, CVE-2025-30211, CVE-2025-32433 |
|---|---|
| CWE | |
| Bulletin Family | unix |
Description
Debian LTS Advisory DLA-4132-1 [email protected]
https://www.debian.org/lts/security/ Bastien Roucariรยจs
April 21, 2025 https://wiki.debian.org/LTS
– ————————————————————————-
Package : erlang
Version : 1:23.2.6+dfsg-1+deb11u2
CVE ID : CVE-2023-48795 CVE-2025-26618 CVE-2025-30211 CVE-2025-32433
Debian Bug : 1059002 1101713 1103442
Multiple vulnerabilties were fixed in erlang.
CVE-2023-48795 (Terrapin attack)
The SSH transport protocol with certain OpenSSH extensions,
allows remote attackers to bypass integrity checks such
that some packets are omitted (from the extension
negotiation message), and a client and server may
consequently end up with a connection for which
some security features have been downgraded.
CVE-2025-26618
The SSH transport protocol with certain OpenSSH extensions,
allows remote attackers to bypass integrity checks such
that some packets are omitted (from the extension
negotiation message), and a client and server may
consequently end up with a connection for which
some security features have been downgraded.
CVE-2025-30211
The SSH transport protocol with certain OpenSSH extensions,
allows remote attackers to bypass integrity checks such
that some packets are omitted (from the extension
negotiation message), and a client and server may
consequently end up with a connection for which
some security features have been downgraded.
CVE-2025-32433
A SSH server may allow an attacker to perform unauthenticated
remote code execution (RCE). By exploiting a flaw in SSH protocol
message handling, a malicious actor could gain unauthorized access
to affected systems and execute arbitrary commands without valid
credentials.
For Debian 11 bullseye, these problems have been fixed in version
1:23.2.6+dfsg-1+deb11u2.
We recommend that you upgrade your erlang packages.
For the detailed security status of erlang please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/erlang
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Impact Assessment
| Base Score | 10.0 |
|---|---|
| Severity | CRITICAL |