Multiple security updates have been released for various Debian GNU/Linux packages, including Erlang, which is available for Debian 9 ELTS, 10 ELTS, and 11 LTS, as well as r-cran-gh and python-gevent for Debian 11 LTS. The updates address vulnerabilities such as improper path traversal, excessive allocation, and privilege escalation. The affected packages include erlang 1:23.2.6+dfsg-1+deb11u3, r-cran-gh 1.2.0-1+deb11u1, and python-gevent 20.9.0-2+deb11u1.

ELA-1582-1 erlang security update
[DLA 4376-1] erlang security update
[DLA 4378-1] r-cran-gh security update
[DLA 4377-1] python-gevent security update

ELA-1582-1 erlang security update

Package : erlang
Version : 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u5 (stretch), 1:22.2.7+dfsg-1+deb10u4 (buster)

Related CVEs :
CVE-2025-4748
CVE-2025-48038
CVE-2025-48039
CVE-2025-48041

Multiple vulnerabilities were fixed in Erlang an concurrent, real-time,
distributed functional language.

CVE-2025-4748

Improper Limitation of a Pathname to a Restricted Directory (‘Path
Traversal’) vulnerability in Erlang OTP (stdlib modules) allows
Absolute Path Traversal, File Manipulation. This vulnerability is
associated with program files lib/stdlib/src/zip.erl and program
routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2
unless the memory option is passed.

CVE-2025-48038, CVE-2025-48039, CVE-2025-48041

Allocation of Resources Without Limits or Throttling vulnerability
in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Resource Leak Exposure, Flooding. These vulnerabilities are
associated with program files lib/ssh/src/ssh_sftpd.erl.

ELA-1582-1 erlang security update

[SECURITY] [DLA 4376-1] erlang security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4376-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Jochen Sprickerhof
November 24, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : erlang
Version : 1:23.2.6+dfsg-1+deb11u3
CVE ID : CVE-2025-4748 CVE-2025-48038 CVE-2025-48039 CVE-2025-48041
Debian Bug :

Multiple vulnerabilities were fixed in Erlang an concurrent, real-time,
distributed functional language.

CVE-2025-4748

Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability in Erlang OTP (stdlib modules) allows
Absolute Path Traversal, File Manipulation. This vulnerability is
associated with program files lib/stdlib/src/zip.erl and program
routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2
unless the memory option is passed.

CVE-2025-48038, CVE-2025-48039, CVE-2025-48041

Allocation of Resources Without Limits or Throttling vulnerability
in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Resource Leak Exposure, Flooding. These vulnerabilities are
associated with program files lib/ssh/src/ssh_sftpd.erl.

For Debian 11 bullseye, these problems have been fixed in version
1:23.2.6+dfsg-1+deb11u3.

We recommend that you upgrade your erlang packages.

For the detailed security status of erlang please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/erlang

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4378-1] r-cran-gh security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4378-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
November 25, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : r-cran-gh
Version : 1.2.0-1+deb11u1
CVE ID : CVE-2025-54956
Debian Bug : 1110481

A vulnerability has been discovered in r-cran-gh, a GNU R Minimal
client to access the 'GitHub' 'API'.

CVE-2025-54956

The HTTP response is delivered in a data structure that includes the
Authorization header from the corresponding HTTP request.

For Debian 11 bullseye, this problem has been fixed in version
1.2.0-1+deb11u1.

We recommend that you upgrade your r-cran-gh packages.

For the detailed security status of r-cran-gh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/r-cran-gh

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4377-1] python-gevent security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4377-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Paride Legovini
November 24, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-gevent
Version : 20.9.0-2+deb11u1
CVE ID : CVE-2023-41419

An issue in Gevent before version 23.9.0 allows a remote attacker to
escalate privileges via a crafted script to the WSGIServer component.

For Debian 11 bullseye, this problem has been fixed in version
20.9.0-2+deb11u1.

We recommend that you upgrade your python-gevent packages.

For the detailed security status of python-gevent please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-gevent

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS