Security update for erlang26 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:1356-1 Final 1 1 2025-04-22T09:29:26Z current 2025-04-22T09:29:26Z 2025-04-22T09:29:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for erlang26 This update for erlang26 fixes the following issues: - CVE-2025-30211: Fixed KEX init error results with excessive memory usage (bsc#1240390) - CVE-2025-32433: Fixed unauthenticated remote code execution in Erlang/OTP SSH (bsc#1241300) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-1356,SUSE-SLE-Module-Server-Applications-15-SP6-2025-1356,openSUSE-SLE-15.6-2025-1356 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20251356-1/ Link for SUSE-SU-2025:1356-1 https://lists.suse.com/pipermail/sle-updates/2025-April/039074.html E-Mail link for SUSE-SU-2025:1356-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1240390 SUSE Bug 1240390 https://bugzilla.suse.com/1241300 SUSE Bug 1241300 https://www.suse.com/security/cve/CVE-2025-30211/ SUSE CVE CVE-2025-30211 page https://www.suse.com/security/cve/CVE-2025-32433/ SUSE CVE CVE-2025-32433 page SUSE Linux Enterprise Module for Server Applications 15 SP6 openSUSE Leap 15.6 erlang26-26.2.1-150300.7.11.1 erlang26-debugger-26.2.1-150300.7.11.1 erlang26-debugger-src-26.2.1-150300.7.11.1 erlang26-dialyzer-26.2.1-150300.7.11.1 erlang26-dialyzer-src-26.2.1-150300.7.11.1 erlang26-diameter-26.2.1-150300.7.11.1 erlang26-diameter-src-26.2.1-150300.7.11.1 erlang26-doc-26.2.1-150300.7.11.1 erlang26-epmd-26.2.1-150300.7.11.1 erlang26-et-26.2.1-150300.7.11.1 erlang26-et-src-26.2.1-150300.7.11.1 erlang26-jinterface-26.2.1-150300.7.11.1 erlang26-jinterface-src-26.2.1-150300.7.11.1 erlang26-observer-26.2.1-150300.7.11.1 erlang26-observer-src-26.2.1-150300.7.11.1 erlang26-reltool-26.2.1-150300.7.11.1 erlang26-reltool-src-26.2.1-150300.7.11.1 erlang26-src-26.2.1-150300.7.11.1 erlang26-wx-26.2.1-150300.7.11.1 erlang26-wx-src-26.2.1-150300.7.11.1 erlang26-26.2.1-150300.7.11.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 erlang26-epmd-26.2.1-150300.7.11.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 erlang26-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-debugger-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-debugger-src-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-dialyzer-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-dialyzer-src-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-diameter-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-diameter-src-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-doc-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-epmd-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-et-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-et-src-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-jinterface-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-jinterface-src-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-observer-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-observer-src-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-reltool-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-reltool-src-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-src-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-wx-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 erlang26-wx-src-26.2.1-150300.7.11.1 as a component of openSUSE Leap 15.6 Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously formed KEX init message can result with high memory usage. Implementation does not verify RFC specified limits on algorithm names (64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient processing of the error data. As a result, large amount of memory will be allocated for processing malicious data. Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue. Some workarounds are available. One may set option `parallel_login` to `false` and/or reduce the `max_sessions` option. CVE-2025-30211 SUSE Linux Enterprise Module for Server Applications 15 SP6:erlang26-26.2.1-150300.7.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:erlang26-epmd-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-debugger-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-debugger-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-dialyzer-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-dialyzer-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-diameter-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-diameter-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-doc-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-epmd-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-et-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-et-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-jinterface-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-jinterface-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-observer-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-observer-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-reltool-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-reltool-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-wx-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-wx-src-26.2.1-150300.7.11.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251356-1/ https://www.suse.com/security/cve/CVE-2025-30211.html CVE-2025-30211 https://bugzilla.suse.com/1240390 SUSE Bug 1240390 Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules. CVE-2025-32433 SUSE Linux Enterprise Module for Server Applications 15 SP6:erlang26-26.2.1-150300.7.11.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:erlang26-epmd-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-debugger-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-debugger-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-dialyzer-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-dialyzer-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-diameter-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-diameter-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-doc-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-epmd-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-et-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-et-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-jinterface-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-jinterface-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-observer-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-observer-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-reltool-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-reltool-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-src-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-wx-26.2.1-150300.7.11.1 openSUSE Leap 15.6:erlang26-wx-src-26.2.1-150300.7.11.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20251356-1/ https://www.suse.com/security/cve/CVE-2025-32433.html CVE-2025-32433 https://bugzilla.suse.com/1241300 SUSE Bug 1241300