SUSE Package Hub - SUSE-PackageHub-16.0-892

Update Info

SUSE-PackageHub-16.0-892

Security update for erlang

Type: security

Severity: important

Issued: 2026-06-05

Description:

This update for erlang fixes the following issues

- CVE-2025-4748: improper limitation of a pathname may lead to path traversal (bsc#1244642).
- CVE-2026-32147: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in SFTP chroot
  (bsc#1262503).
- CVE-2026-42789: `public_key` application accepts non-CA certificates as intermediate issuers and this enables chain
  forgery (bsc#1266449).
- CVE-2026-42790: Name Constraints and Subject CommonName fallback in TLS hostname verification allows for certificate
  forgery by MITM attacker (bsc#1266466).
- CVE-2026-42791: OCSP response verification in the `public_key` application does not check the validity period of the
  OCSP responder certificate and allows for OCSP response response forgery (bsc#1266448).

References

CVE: CVE-2026-42791
CVE: CVE-2026-42790
CVE: CVE-2026-42789
CVE: CVE-2026-32147
CVE: CVE-2025-4748
Bugzilla: 1266466 VUL-0: CVE-2026-42790: erlang,erlang26: Name Constraints and Subject CommonName fallback in TLS hostname verification allows for certificate forgery by MITM attacker
Bugzilla: 1266449 VUL-0: CVE-2026-42789: erlang,erlang26: `public_key` application accepts non-CA certificates as intermediate issuers and this enables chain forgery
Bugzilla: 1266448 VUL-0: CVE-2026-42791: erlang,erlang26: OCSP response verification in the `public_key` application does not check the validity period of the OCSP responder certificate and allows for OCSP response response forgery
Bugzilla: 1262503 VUL-0: CVE-2026-32147: erlang: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in SFTP chroot
Bugzilla: 1244642 VUL-0: CVE-2025-4748: erlang,erlang26: improper limitation of a pathname may lead to path traversal

Packages

erlang-27.1.3-160000.5.1