package/erlang: security bump to v26.2.5.15

See the release notes on
https://github.com/erlang/otp/releases?q=OTP-26.&expanded=true

Also, remove patch that is now applied upstream

This fixes the following vulnerabilities:
- CVE-2024-53846:
    OTP is a set of Erlang libraries, which consists of the Erlang runtime
    system, a number of ready-to-use components mainly written in Erlang,
    and a set of design principles for Erlang programs. A regression was
    introduced into the ssl application of OTP starting at OTP-25.3.2.8,
    OTP-26.2, and OTP-27.0, resulting in a server or client verifying the
    peer when incorrect extended key usage is presented (i.e., a server
    will verify a client if they have server auth ext key usage and vice
    versa).
    https://www.cve.org/CVERecord?id=CVE-2024-53846

- CVE-2025-4748:
    Improper Limitation of a Pathname to a Restricted Directory ('Path
    Traversal') vulnerability in Erlang OTP (stdlib modules) allows
    Absolute Path Traversal, File Manipulation. This vulnerability is
    associated with program files lib/stdlib/src/zip.erl and program
    routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless
    the memory option is passed.  This issue affects OTP from OTP 17.0
    until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to
    stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
    https://www.cve.org/CVERecord?id=CVE-2025-4748

- CVE-2025-26618:
    Erlang is a programming language and runtime system for building
    massively scalable soft real-time systems with requirements on high
    availability. OTP is a set of Erlang libraries, which consists of the
    Erlang runtime system, a number of ready-to-use components mainly
    written in Erlang. Packet size is not verified properly for SFTP
    packets. As a result when multiple SSH packets (conforming to max SSH
    packet size) are received by ssh, they might be combined into an SFTP
    packet which will exceed the max allowed packet size and potentially
    cause large amount of memory to be allocated. Note that situation
    described above can only happen for successfully authenticated users
    after completing the SSH handshake. This issue has been patched in OTP
    versions 27.2.4, 26.2.5.9, and 25.3.2.18. There are no known
    workarounds for this vulnerability.
    https://www.cve.org/CVERecord?id=CVE-2025-26618

- CVE-2025-30211:
    Erlang/OTP is a set of libraries for the Erlang programming language.
    Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously
    formed KEX init message can result with high memory usage.
    Implementation does not verify RFC specified limits on algorithm names
    (64 characters) provided in KEX init message. Big KEX init packet may
    lead to inefficient processing of the error data. As a result, large
    amount of memory will be allocated for processing malicious data.
    Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue.
    Some workarounds are available. One may set option `parallel_login` to
    `false` and/or reduce the `max_sessions` option.
    https://www.cve.org/CVERecord?id=CVE-2025-30211

- CVE-2025-32433:
    Erlang/OTP is a set of libraries for the Erlang programming language.
    Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH
    server may allow an attacker to perform unauthenticated remote code
    execution (RCE). By exploiting a flaw in SSH protocol message
    handling, a malicious actor could gain unauthorized access to affected
    systems and execute arbitrary commands without valid credentials. This
    issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and
    OTP-25.3.2.20. A temporary workaround involves disabling the SSH
    server or to prevent access via firewall rules.
    https://www.cve.org/CVERecord?id=CVE-2025-32433

- CVE-2025-46712:
    Erlang/OTP is a set of libraries for the Erlang programming language.
    In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for
    OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to
    enforce strict KEX handshake hardening measures by allowing optional
    messages to be exchanged. This allows a Man-in-the-Middle attacker to
    inject these messages in a connection during the handshake. This issue
    has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12
    (for OTP-26), and OTP-25.3.2.21 (for OTP-25).
    https://www.cve.org/CVERecord?id=CVE-2025-46712

- CVE-2025-48038:
    Allocation of Resources Without Limits or Throttling vulnerability in
    Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
    Resource Leak Exposure. This vulnerability is associated with program
    files lib/ssh/src/ssh_sftpd.erl.  This issue affects OTP form OTP 17.0
    until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from
    3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
    https://www.cve.org/CVERecord?id=CVE-2025-48038

- CVE-2025-48039:
    Allocation of Resources Without Limits or Throttling vulnerability in
    Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
    Resource Leak Exposure. This vulnerability is associated with program
    files lib/ssh/src/ssh_sftpd.erl.  This issue affects OTP form OTP 17.0
    until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from
    3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
    https://www.cve.org/CVERecord?id=CVE-2025-48039

- CVE-2025-48040:
    Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh
    (ssh_sftp modules) allows Excessive Allocation, Flooding. This
    vulnerability is associated with program files
    lib/ssh/src/ssh_sftpd.erl.  This issue affects OTP form OTP 17.0 until
    OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1
    until 5.3.3, 5.2.11.3 and 5.1.4.12.
    https://www.cve.org/CVERecord?id=CVE-2025-48040

- CVE-2025-48041:
    Allocation of Resources Without Limits or Throttling vulnerability in
    Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
    Flooding. This vulnerability is associated with program files
    lib/ssh/src/ssh_sftpd.erl.  This issue affects OTP form OTP 17.0 until
    OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1
    until 5.3.3, 5.2.11.3 and 5.1.4.12.
    https://www.cve.org/CVERecord?id=CVE-2025-48041

NB: Since Erlang is quite a "large" package, containing the language itself,
some libraries, and some "applications", it's difficult to tell which CVEs
are exactly affecting Buildroot, but it's a good idea to update anyway

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>

package/erlang/0001-lib-crypto-c_src-openssl_config.h-fix-build-without-.patch

@@ -1,46 +0,0 @@
-From 8c7d62662cf51902d759be0e8d3bfd96a3524b3c Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Fri, 8 Dec 2023 09:00:17 +0100
-Subject: [PATCH] lib/crypto/c_src/openssl_config.h: fix build without DES
-
-Fix the following build failure without DES raised since version 24.2
-and
-https://github.com/erlang/otp/commit/abf7f84c2f77bb07dbdbb8a29b9d41f1f24c5f14:
-
-cipher.c:51:42: error: 'EVP_des_ede3_cbc' undeclared here (not in a function); did you mean 'SN_des_ede3_cbc'?
-   51 |     {{"des_ede3_cbc"}, "des-ede3-cbc", {&EVP_des_ede3_cbc}, 0, 0},
-      |                                          ^~~~~~~~~~~~~~~~
-      |                                          SN_des_ede3_cbc
-
-Fixes:
- - http://autobuild.buildroot.org/results/1aace0ee738f8ec4aa2c9a739fc7535c3b6bf884
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Upstream: https://github.com/erlang/otp/pull/7937
----
- lib/crypto/c_src/openssl_config.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/crypto/c_src/openssl_config.h b/lib/crypto/c_src/openssl_config.h
-index cb63f28369..f3904986c9 100644
---- a/lib/crypto/c_src/openssl_config.h
-+++ b/lib/crypto/c_src/openssl_config.h
-@@ -218,7 +218,6 @@
- 
- #ifndef OPENSSL_NO_DES
- # define HAVE_DES
--#endif
- 
- #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,7,'e')
- # define HAVE_DES_ede3_cfb
-@@ -227,6 +226,7 @@
- #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,7,'e')
- # define HAVE_DES_ede3_cbc
- #endif
-+#endif
- 
- #ifndef OPENSSL_NO_DH
- # define HAVE_DH
--- 
-2.42.0
-

package/erlang/erlang.hash

@@ -1,5 +1,5 @@
-# From https://github.com/erlang/otp/releases/download/OTP-26.0.2/SHA256.txt
-sha256  47853ea9230643a0a31004433f07a71c1b92d6e0094534f629e3b75dbc62f193  otp_src_26.0.2.tar.gz
+# From https://github.com/erlang/otp/releases/download/OTP-26.2.5.15/SHA256.txt
+sha256  28e6d63d82927f132d56289dd3c428ef8bce6bf2283c8549aa0a7afca1a8fe3b  otp_src_26.2.5.15.tar.gz
 
 # Hash for license file
 sha256  809fa1ed21450f59827d1e9aec720bbc4b687434fa22283c6cb5dd82a47ab9c0  LICENSE.txt

package/erlang/erlang.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-ERLANG_VERSION = 26.0.2
+ERLANG_VERSION = 26.2.5.15
 ERLANG_RELEASE = $(firstword $(subst ., ,$(ERLANG_VERSION)))
 ERLANG_SITE = \
 	https://github.com/erlang/otp/releases/download/OTP-$(ERLANG_VERSION)