Date: Sun, 20 Apr 2025 18:00:09 GMT From: Fernando =?utf-8?Q?Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 6895b5c637ec - main - security/vuxml: Add lang/erlang* vulnerabilities Message-ID: <202504201800.53KI09q7060288@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=6895b5c637ec55eb8af505c0fec592a57b924037 commit 6895b5c637ec55eb8af505c0fec592a57b924037 Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2025-04-20 17:59:06 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2025-04-20 17:59:50 +0000 security/vuxml: Add lang/erlang* vulnerabilities CVE-2025-32433 Reported by: Stefan Grundmann <sg@ennead.xyz> --- security/vuxml/vuln/2025.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index 90b4b50e1a05..585c8d682e4a 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,69 @@ + <vuln vid="06269ae8-1e0d-11f0-ad0b-b42e991fc52e"> + <topic>Erlang -- Erlang/OTP SSH Vulnerable to Pre-Authentication RCE</topic> + <affects> + <package> + <name>erlang</name> + <range><lt>26.2.5.11</lt></range> + </package> + <package> + <name>erlang-runtime21</name> + <range><lt>25.3.2.20</lt></range> + </package> + <package> + <name>erlang-runtime22</name> + <range><lt>25.3.2.20</lt></range> + </package> + <package> + <name>erlang-runtime23</name> + <range><lt>25.3.2.20</lt></range> + </package> + <package> + <name>erlang-runtime24</name> + <range><lt>25.3.2.20</lt></range> + </package> + <package> + <name>erlang-runtime25</name> + <range><lt>25.3.2.20</lt></range> + </package> + <package> + <name>erlang-runtime26</name> + <range><lt>26.2.5.11</lt></range> + </package> + <package> + <name>erlang-runtime27</name> + <range><lt>27.3.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>security-advisories@github.com reports:</p> + <blockquote cite="https://github.com/erlang/otp/commit/0fcd9c56524b28615e8ece65fc0c3f66ef6e4c12">; + <p> + Erlang/OTP is a set of libraries for the Erlang + programming language. Prior to versions OTP-27.3.3, + OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow + an attacker to perform unauthenticated remote code + execution (RCE). By exploiting a flaw in SSH protocol + message handling, a malicious actor could gain + unauthorized access to affected systems and execute + arbitrary commands without valid credentials. This issue + is patched in versions OTP-27.3.3, OTP-26.2.5.11, and + OTP-25.3.2.20. A temporary workaround involves disabling + the SSH server or to prevent access via firewall rules. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-32433</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2025-32433</url>; + </references> + <dates> + <discovery>2025-04-16</discovery> + <entry>2025-04-20</entry> + </dates> + </vuln> + <vuln vid="1b8d502e-1cfd-11f0-944d-901b0e9408dc"> <topic>ejabberd -- mod_muc_occupantid: Fix handling multiple occupant-id</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202504201800.53KI09q7060288>