See the release notes on
https://github.com/erlang/otp/releases?q=OTP-26.&expanded=true
Also, remove patch that is now applied upstream
This fixes the following vulnerabilities:
- CVE-2024-53846:
OTP is a set of Erlang libraries, which consists of the Erlang runtime
system, a number of ready-to-use components mainly written in Erlang,
and a set of design principles for Erlang programs. A regression was
introduced into the ssl application of OTP starting at OTP-25.3.2.8,
OTP-26.2, and OTP-27.0, resulting in a server or client verifying the
peer when incorrect extended key usage is presented (i.e., a server
will verify a client if they have server auth ext key usage and vice
versa).
https://www.cve.org/CVERecord?id=CVE-2024-53846
- CVE-2025-4748:
Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability in Erlang OTP (stdlib modules) allows
Absolute Path Traversal, File Manipulation. This vulnerability is
associated with program files lib/stdlib/src/zip.erl and program
routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless
the memory option is passed. This issue affects OTP from OTP 17.0
until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to
stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
https://www.cve.org/CVERecord?id=CVE-2025-4748
- CVE-2025-26618:
Erlang is a programming language and runtime system for building
massively scalable soft real-time systems with requirements on high
availability. OTP is a set of Erlang libraries, which consists of the
Erlang runtime system, a number of ready-to-use components mainly
written in Erlang. Packet size is not verified properly for SFTP
packets. As a result when multiple SSH packets (conforming to max SSH
packet size) are received by ssh, they might be combined into an SFTP
packet which will exceed the max allowed packet size and potentially
cause large amount of memory to be allocated. Note that situation
described above can only happen for successfully authenticated users
after completing the SSH handshake. This issue has been patched in OTP
versions 27.2.4, 26.2.5.9, and 25.3.2.18. There are no known
workarounds for this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2025-26618
- CVE-2025-30211:
Erlang/OTP is a set of libraries for the Erlang programming language.
Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously
formed KEX init message can result with high memory usage.
Implementation does not verify RFC specified limits on algorithm names
(64 characters) provided in KEX init message. Big KEX init packet may
lead to inefficient processing of the error data. As a result, large
amount of memory will be allocated for processing malicious data.
Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue.
Some workarounds are available. One may set option `parallel_login` to
`false` and/or reduce the `max_sessions` option.
https://www.cve.org/CVERecord?id=CVE-2025-30211
- CVE-2025-32433:
Erlang/OTP is a set of libraries for the Erlang programming language.
Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH
server may allow an attacker to perform unauthenticated remote code
execution (RCE). By exploiting a flaw in SSH protocol message
handling, a malicious actor could gain unauthorized access to affected
systems and execute arbitrary commands without valid credentials. This
issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and
OTP-25.3.2.20. A temporary workaround involves disabling the SSH
server or to prevent access via firewall rules.
https://www.cve.org/CVERecord?id=CVE-2025-32433
- CVE-2025-46712:
Erlang/OTP is a set of libraries for the Erlang programming language.
In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for
OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to
enforce strict KEX handshake hardening measures by allowing optional
messages to be exchanged. This allows a Man-in-the-Middle attacker to
inject these messages in a connection during the handshake. This issue
has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12
(for OTP-26), and OTP-25.3.2.21 (for OTP-25).
https://www.cve.org/CVERecord?id=CVE-2025-46712
- CVE-2025-48038:
Allocation of Resources Without Limits or Throttling vulnerability in
Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Resource Leak Exposure. This vulnerability is associated with program
files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0
until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from
3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48038
- CVE-2025-48039:
Allocation of Resources Without Limits or Throttling vulnerability in
Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Resource Leak Exposure. This vulnerability is associated with program
files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0
until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from
3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48039
- CVE-2025-48040:
Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh
(ssh_sftp modules) allows Excessive Allocation, Flooding. This
vulnerability is associated with program files
lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until
OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1
until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48040
- CVE-2025-48041:
Allocation of Resources Without Limits or Throttling vulnerability in
Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Flooding. This vulnerability is associated with program files
lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until
OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1
until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48041
NB: Since Erlang is quite a "large" package, containing the language itself,
some libraries, and some "applications", it's difficult to tell which CVEs
are exactly affecting Buildroot, but it's a good idea to update anyway
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 88f7fed5f2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
b3a9d0f3e1