Описание
Security update for erlang26
This update for erlang26 fixes the following issues:
- CVE-2025-30211: Fixed KEX init error results with excessive memory usage (bsc#1240390)
- CVE-2025-32433: Fixed unauthenticated remote code execution in Erlang/OTP SSH (bsc#1241300)
Список пакетов
SUSE Linux Enterprise Module for Server Applications 15 SP6
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:1356-1
- E-Mail link for SUSE-SU-2025:1356-1
- SUSE Security Ratings
- SUSE Bug 1240390
- SUSE Bug 1241300
- SUSE CVE CVE-2025-30211 page
- SUSE CVE CVE-2025-32433 page
Описание
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option.
Затронутые продукты
Ссылки
- CVE-2025-30211
- SUSE Bug 1240390
Описание
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.
Затронутые продукты
Ссылки
- CVE-2025-32433
- SUSE Bug 1241300