Security update for erlang SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20043-1 Final 1 1 2026-01-15T17:21:23Z current 2026-01-15T17:21:23Z 2026-01-15T17:21:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for erlang This update for erlang fixes the following issues: Update the ssh component to the latest in the maint-27 branch. Security issues fixed: - CVE-2025-48040: ssh: overly tolerant handling of data received from unauthenticated users when processing key exchange messages may lead to excessive resource consumption (bsc#1249472). - CVE-2025-48039: ssh: unverified paths from authenticated SFTP users may lead to excessive resource consumption (bsc#1249469). - CVE-2025-48038: ssh: unverified file handles from authenticated SFTP users may lead to excessive resource consumption (bsc#1249470). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-148 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1249469 SUSE Bug 1249469 https://bugzilla.suse.com/1249470 SUSE Bug 1249470 https://bugzilla.suse.com/1249472 SUSE Bug 1249472 https://www.suse.com/security/cve/CVE-2025-48038/ SUSE CVE CVE-2025-48038 page https://www.suse.com/security/cve/CVE-2025-48039/ SUSE CVE CVE-2025-48039 page https://www.suse.com/security/cve/CVE-2025-48040/ SUSE CVE CVE-2025-48040 page openSUSE Leap 16.0 erlang-27.1.3-160000.3.1 erlang-debugger-27.1.3-160000.3.1 erlang-debugger-src-27.1.3-160000.3.1 erlang-dialyzer-27.1.3-160000.3.1 erlang-dialyzer-src-27.1.3-160000.3.1 erlang-diameter-27.1.3-160000.3.1 erlang-diameter-src-27.1.3-160000.3.1 erlang-doc-27.1.3-160000.3.1 erlang-epmd-27.1.3-160000.3.1 erlang-et-27.1.3-160000.3.1 erlang-et-src-27.1.3-160000.3.1 erlang-jinterface-27.1.3-160000.3.1 erlang-jinterface-src-27.1.3-160000.3.1 erlang-observer-27.1.3-160000.3.1 erlang-observer-src-27.1.3-160000.3.1 erlang-reltool-27.1.3-160000.3.1 erlang-reltool-src-27.1.3-160000.3.1 erlang-src-27.1.3-160000.3.1 erlang-wx-27.1.3-160000.3.1 erlang-wx-src-27.1.3-160000.3.1 erlang-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-debugger-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-debugger-src-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-dialyzer-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-dialyzer-src-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-diameter-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-diameter-src-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-doc-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-epmd-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-et-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-et-src-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-jinterface-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-jinterface-src-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-observer-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-observer-src-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-reltool-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-reltool-src-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-src-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-wx-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 erlang-wx-src-27.1.3-160000.3.1 as a component of openSUSE Leap 16.0 Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. CVE-2025-48038 openSUSE Leap 16.0:erlang-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-debugger-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-debugger-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-dialyzer-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-dialyzer-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-diameter-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-diameter-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-doc-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-epmd-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-et-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-et-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-jinterface-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-jinterface-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-observer-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-observer-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-reltool-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-reltool-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-wx-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-wx-src-27.1.3-160000.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-48038.html CVE-2025-48038 https://bugzilla.suse.com/1249470 SUSE Bug 1249470 Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. CVE-2025-48039 openSUSE Leap 16.0:erlang-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-debugger-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-debugger-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-dialyzer-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-dialyzer-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-diameter-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-diameter-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-doc-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-epmd-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-et-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-et-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-jinterface-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-jinterface-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-observer-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-observer-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-reltool-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-reltool-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-wx-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-wx-src-27.1.3-160000.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-48039.html CVE-2025-48039 https://bugzilla.suse.com/1249469 SUSE Bug 1249469 Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12. CVE-2025-48040 openSUSE Leap 16.0:erlang-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-debugger-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-debugger-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-dialyzer-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-dialyzer-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-diameter-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-diameter-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-doc-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-epmd-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-et-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-et-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-jinterface-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-jinterface-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-observer-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-observer-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-reltool-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-reltool-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-src-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-wx-27.1.3-160000.3.1 openSUSE Leap 16.0:erlang-wx-src-27.1.3-160000.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-48040.html CVE-2025-48040 https://bugzilla.suse.com/1249472 SUSE Bug 1249472