From cef84642864780e488b8b5b6b337cac076a5fbbe Mon Sep 17 00:00:00 2001 From: Kiko Fernandez-Reyes Date: Fri, 28 Nov 2025 09:18:07 +0100 Subject: [PATCH 1/4] update SPDX SBOM to 2.3 - updates ORT to version 72.0.0 to be able to produce a SPDX 2.3 version - add MPL-1.1 to detected files - add Mozilla Public License to test files detected by the file header script during SBOM creation. this is necessary to create a source SBOM, otherwise the build process of the source SBOM will continue failing. - update dialyzer license on results - add the OpenVex statements to the SBOM --- .github/scripts/otp-compliance.es | 2 +- .github/workflows/main.yaml | 4 +-- .ort/config/config.yml | 6 ++++ FILE-HEADERS/MPL-1.1.txt | 9 ++++++ .../test/opaque_SUITE_data/results/ewgi | 15 ++++++++-- .../opaque_SUITE_data/src/ewgi/ewgi_api.erl | 28 +++++++------------ .../src/ewgi/ewgi_testapp.erl | 25 ++++++----------- .../opaque_SUITE_data/src/ewgi2/ewgi_api.erl | 26 ++++++----------- .../src/ewgi2/ewgi_testapp.erl | 25 ++++++----------- 9 files changed, 65 insertions(+), 75 deletions(-) create mode 100644 FILE-HEADERS/MPL-1.1.txt diff --git a/.github/scripts/otp-compliance.es b/.github/scripts/otp-compliance.es index 35cfedbbf157..d37feb379235 100755 --- a/.github/scripts/otp-compliance.es +++ b/.github/scripts/otp-compliance.es @@ -83,7 +83,7 @@ -define(spdx_download_location, ~"https://github.com/erlang/otp/releases"). -define(spdx_homepage, ~"https://www.erlang.org"). -define(spdx_purl_meta_data, ~"?vcs_url=git+https://github.com/erlang/otp.git"). --define(spdx_version, ~"SPDX-2.2"). +-define(spdx_version, ~"SPDX-2.3"). -define(otp_version, 'OTP_VERSION'). % file name of the OTP version -define(spdx_project_purl, #{ ~"comment" => ~"", ~"referenceCategory" => ~"PACKAGE-MANAGER", diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 1ac9504fbf40..e95b4e89206e 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -745,7 +745,7 @@ jobs: runs-on: ubuntu-latest needs: pack env: - ORT_VERSION: 58.0.1 + ORT_VERSION: 72.0.0 SCAN_RESULT_CACHE_PATH: .ort/scan-result.json steps: @@ -807,7 +807,7 @@ jobs: FROM otp RUN echo 'export PATH="\$HOME/.local/bin:\$PATH"' >> /home/otptest/.profile RUN sudo apt-get install -y libicu-dev pip && \ - pip install click==8.1.7 scancode-toolkit==${SCANCODE_VERSION} reuse && \ + pip install click==8.3.1 scancode-toolkit==${SCANCODE_VERSION} reuse && \ pip install -U ntia-conformance-checker EOF diff --git a/.ort/config/config.yml b/.ort/config/config.yml index 9cd29f505c69..b6d184032f85 100644 --- a/.ort/config/config.yml +++ b/.ort/config/config.yml @@ -36,3 +36,9 @@ ort: enabledPackageManagers: [Unmanaged] # A flag to control whether excluded scopes and paths should be skipped during the analysis. skipExcluded: true + + reporter: + reporters: + SpdxDocument: + options: + spdxVersion: "SPDX-2.3" diff --git a/FILE-HEADERS/MPL-1.1.txt b/FILE-HEADERS/MPL-1.1.txt new file mode 100644 index 000000000000..6dd1d49ce41f --- /dev/null +++ b/FILE-HEADERS/MPL-1.1.txt @@ -0,0 +1,9 @@ +The contents of this file are subject to the Mozilla Public +License Version 1.1 (the "License"); you may not use this file +except in compliance with the License. You may obtain a copy of +the License at http://www.mozilla.org/MPL/ + +Software distributed under the License is distributed on an "AS IS" +basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +the License for the specific language governing rights and +limitations under the License. diff --git a/lib/dialyzer/test/opaque_SUITE_data/results/ewgi b/lib/dialyzer/test/opaque_SUITE_data/results/ewgi index ed7e06a9dbad..29915d5e9006 100644 --- a/lib/dialyzer/test/opaque_SUITE_data/results/ewgi +++ b/lib/dialyzer/test/opaque_SUITE_data/results/ewgi @@ -1,4 +1,13 @@ -ewgi_api.erl:55:31: The call gb_trees:to_list({non_neg_integer(),'nil' | {_,_,_,_}}) does not have an opaque term of type gb_trees:tree(_,_) as 1st argument -ewgi_testapp.erl:35:91: The call ewgi_testapp:htmlise_data("request_data",{non_neg_integer(),'nil' | {_,_,_,_}}) does not have a term of type [{_,_}] | gb_trees:tree(_,_) (with opaque subterms) as 2nd argument -ewgi_testapp.erl:43:27: The call gb_trees:to_list(T::{non_neg_integer(),'nil' | {_,_,_,_}}) does not have an opaque term of type gb_trees:tree(_,_) as 1st argument +ewgi_api.erl:47:31: The call gb_trees:to_list({non_neg_integer(),'nil' | {_,_,_,_}}) does not have an opaque term of type gb_trees:tree(_,_) as 1st argument +ewgi_testapp.erl:26:91: The call ewgi_testapp:htmlise_data("request_data",{non_neg_integer(),'nil' | {_,_,_,_}}) does not have a term of type [{_,_}] | gb_trees:tree(_,_) (with opaque subterms) as 2nd argument +ewgi_testapp.erl:34:27: The call gb_trees:to_list(T::{non_neg_integer(),'nil' | {_,_,_,_}}) does not have an opaque term of type gb_trees:tree(_,_) as 1st argument + +%% %CopyrightBegin% +%% +%% SPDX-License-Identifier: MPL-1.1 +%% +%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Filippo Pacini +%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Hunter Morris +%% +%% %CopyrightEnd% diff --git a/lib/dialyzer/test/opaque_SUITE_data/src/ewgi/ewgi_api.erl b/lib/dialyzer/test/opaque_SUITE_data/src/ewgi/ewgi_api.erl index 60da757d3b6d..43f384a003f4 100644 --- a/lib/dialyzer/test/opaque_SUITE_data/src/ewgi/ewgi_api.erl +++ b/lib/dialyzer/test/opaque_SUITE_data/src/ewgi/ewgi_api.erl @@ -1,21 +1,13 @@ -%%%------------------------------------------------------------------- -%%% File : ewgi_api.erl -%%% Authors : Filippo Pacini -%%% Hunter Morris -%%% License : -%%% The contents of this file are subject to the Mozilla Public -%%% License Version 1.1 (the "License"); you may not use this file -%%% except in compliance with the License. You may obtain a copy of -%%% the License at http://www.mozilla.org/MPL/ -%%% -%%% Software distributed under the License is distributed on an "AS IS" -%%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See -%%% the License for the specific language governing rights and -%%% limitations under the License. -%%% The Initial Developer of the Original Code is S.G. Consulting -%%% srl. Portions created by S.G. Consulting s.r.l. are Copyright (C) -%%% 2007 S.G. Consulting srl. All Rights Reserved. -%%% +%% %CopyrightBegin% +%% +%% SPDX-License-Identifier: MPL-1.1 +%% +%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Filippo Pacini +%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Hunter Morris +%% +%% %CopyrightEnd% + +%%% ------------------------------------------------------------------- %%% @doc %%%

ewgi API. Defines a low level CGI like API.

%%% diff --git a/lib/dialyzer/test/opaque_SUITE_data/src/ewgi/ewgi_testapp.erl b/lib/dialyzer/test/opaque_SUITE_data/src/ewgi/ewgi_testapp.erl index 59c1ae920630..59dddd745b79 100644 --- a/lib/dialyzer/test/opaque_SUITE_data/src/ewgi/ewgi_testapp.erl +++ b/lib/dialyzer/test/opaque_SUITE_data/src/ewgi/ewgi_testapp.erl @@ -1,20 +1,11 @@ -%%%------------------------------------------------------------------- -%%% File : ewgi_testapp.erl -%%% Authors : Hunter Morris -%%% License : -%%% The contents of this file are subject to the Mozilla Public -%%% License Version 1.1 (the "License"); you may not use this file -%%% except in compliance with the License. You may obtain a copy of -%%% the License at http://www.mozilla.org/MPL/ -%%% -%%% Software distributed under the License is distributed on an "AS IS" -%%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See -%%% the License for the specific language governing rights and -%%% limitations under the License. -%%% The Initial Developer of the Original Code is S.G. Consulting -%%% srl. Portions created by S.G. Consulting s.r.l. are Copyright (C) -%%% 2007 S.G. Consulting srl. All Rights Reserved. -%%% +%% %CopyrightBegin% +%% +%% SPDX-License-Identifier: MPL-1.1 +%% +%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Hunter Morris +%% +%% %CopyrightEnd% + %%% @doc %%%

ewgi test applications

%%% diff --git a/lib/dialyzer/test/opaque_SUITE_data/src/ewgi2/ewgi_api.erl b/lib/dialyzer/test/opaque_SUITE_data/src/ewgi2/ewgi_api.erl index 60da757d3b6d..f8177987e142 100644 --- a/lib/dialyzer/test/opaque_SUITE_data/src/ewgi2/ewgi_api.erl +++ b/lib/dialyzer/test/opaque_SUITE_data/src/ewgi2/ewgi_api.erl @@ -1,20 +1,12 @@ -%%%------------------------------------------------------------------- -%%% File : ewgi_api.erl -%%% Authors : Filippo Pacini -%%% Hunter Morris -%%% License : -%%% The contents of this file are subject to the Mozilla Public -%%% License Version 1.1 (the "License"); you may not use this file -%%% except in compliance with the License. You may obtain a copy of -%%% the License at http://www.mozilla.org/MPL/ -%%% -%%% Software distributed under the License is distributed on an "AS IS" -%%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See -%%% the License for the specific language governing rights and -%%% limitations under the License. -%%% The Initial Developer of the Original Code is S.G. Consulting -%%% srl. Portions created by S.G. Consulting s.r.l. are Copyright (C) -%%% 2007 S.G. Consulting srl. All Rights Reserved. +%% %CopyrightBegin% +%% +%% SPDX-License-Identifier: MPL-1.1 +%% +%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Filippo Pacini +%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Hunter Morris +%% +%% %CopyrightEnd% + %%% %%% @doc %%%

ewgi API. Defines a low level CGI like API.

diff --git a/lib/dialyzer/test/opaque_SUITE_data/src/ewgi2/ewgi_testapp.erl b/lib/dialyzer/test/opaque_SUITE_data/src/ewgi2/ewgi_testapp.erl index 59c1ae920630..59dddd745b79 100644 --- a/lib/dialyzer/test/opaque_SUITE_data/src/ewgi2/ewgi_testapp.erl +++ b/lib/dialyzer/test/opaque_SUITE_data/src/ewgi2/ewgi_testapp.erl @@ -1,20 +1,11 @@ -%%%------------------------------------------------------------------- -%%% File : ewgi_testapp.erl -%%% Authors : Hunter Morris -%%% License : -%%% The contents of this file are subject to the Mozilla Public -%%% License Version 1.1 (the "License"); you may not use this file -%%% except in compliance with the License. You may obtain a copy of -%%% the License at http://www.mozilla.org/MPL/ -%%% -%%% Software distributed under the License is distributed on an "AS IS" -%%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See -%%% the License for the specific language governing rights and -%%% limitations under the License. -%%% The Initial Developer of the Original Code is S.G. Consulting -%%% srl. Portions created by S.G. Consulting s.r.l. are Copyright (C) -%%% 2007 S.G. Consulting srl. All Rights Reserved. -%%% +%% %CopyrightBegin% +%% +%% SPDX-License-Identifier: MPL-1.1 +%% +%% SPDX-FileCopyrightText: Copyright 2007 S.G. Consulting s.r.l. Hunter Morris +%% +%% %CopyrightEnd% + %%% @doc %%%

ewgi test applications

%%% From 9f012d9d267e13e42ff27da00407a0d129bfa2b1 Mon Sep 17 00:00:00 2001 From: Kiko Fernandez-Reyes Date: Fri, 28 Nov 2025 15:32:00 +0100 Subject: [PATCH 2/4] link SBOM to OpenVEX update OpenVEX id to match file location this is not mandatory in the spec but it makes sense that it coincides. the update also makes the creation of new openvex files to match the new IRI location. --- .github/scripts/otp-compliance.es | 39 ++- vex/otp-26.openvex.json | 2 +- vex/otp-27.openvex.json | 2 +- vex/otp-28.openvex.json | 493 ++++++++++++++++++------------ 4 files changed, 329 insertions(+), 207 deletions(-) diff --git a/.github/scripts/otp-compliance.es b/.github/scripts/otp-compliance.es index d37feb379235..a56a5b65fe4c 100755 --- a/.github/scripts/otp-compliance.es +++ b/.github/scripts/otp-compliance.es @@ -551,7 +551,8 @@ sbom_fixing_functions(ScanResults) -> {fun fix_project_package_version/2, 'OTP_VERSION'}, {fun fix_has_extracted_license_info/2, extracted_license_info()}, {fun fix_project_purl/2, ?spdx_project_purl}, - {fun fix_beam_licenses/2, {Licenses, Copyrights}} ]. + {fun fix_beam_licenses/2, {Licenses, Copyrights}} + ]. fix_project_name(ProjectName, #{ ~"documentDescribes" := [ ProjectName0 ], ~"packages" := Packages}=Sbom) -> @@ -1172,7 +1173,7 @@ create_spdx_package(Pkg) -> Supplier = Pkg#spdx_package.'supplier', Purl1 = case Pkg#spdx_package.'purl' of false -> []; - _ -> [Pkg#spdx_package.'purl'] + _ -> Pkg#spdx_package.'purl' end, #{ ~"SPDXID" => SPDXID, ~"versionInfo" => VersionInfo, @@ -1888,7 +1889,8 @@ create_spdx_package_record(PackageName, Vsn, Description, SpdxPackageFiles, VerificationCodeValue = generate_verification_code_value(SpdxPackageFiles), Purl1 = case Purl of false -> false; - true -> create_externalRef_purl(Description, otp_purl(PackageName, Vsn)) + true -> [create_externalRef_purl(Description, otp_purl(PackageName, Vsn)), + fix_openvex_reference()] end, #spdx_package { 'SPDXID' = SpdxPackageName, @@ -1911,6 +1913,19 @@ create_spdx_package_record(PackageName, Vsn, Description, SpdxPackageFiles, }. +fix_openvex_reference() -> + OTPMajorVersion = hd(string:split(get_otp_version(), ".")), + Reference = openvex_iri(OTPMajorVersion), + #{ + ~"referenceCategory" => ~"SECURITY", + ~"referenceLocator" => Reference, + ~"referenceType" => ~"advisory" + }. + +%% Branch = ~"28" or similar. just the current version number. +openvex_iri(Branch) when is_binary(Branch) -> + <<"https://erlang.org/download/vex/otp-", Branch/binary, ".openvex.json">>. + otp_app_license_mapping(Name) -> case Name of ~"edoc" -> ~"Apache-2.0 OR LGPL-2.1-or-later"; @@ -2375,16 +2390,23 @@ test_project_purl(#{~"documentDescribes" := [ProjectName], ~"packages" := Packag ok. test_packages_purl(#{~"documentDescribes" := [ProjectName], ~"packages" := Packages}=_Sbom) -> - OTPPackages = lists:filter(fun (#{~"SPDXID" := Id, ~"name" := Name}) -> ProjectName =/= Id andalso lists:member(Name, minimum_otp_apps()) end, Packages), - true = lists:all(fun (#{~"name" := Name, ~"versionInfo" := Version, ~"externalRefs" := [#{~"referenceLocator":= RefLoc}=Ref]}) -> + OTPPackages = lists:filter(fun (#{~"SPDXID" := Id, ~"name" := Name}) -> + ProjectName =/= Id andalso lists:member(Name, minimum_otp_apps()) + end, Packages), + true = lists:all(fun (#{~"name" := Name, ~"versionInfo" := Version, + ~"externalRefs" := [#{~"referenceLocator":= RefLoc}=Ref, + OpenVex]}) -> ExternalRef = create_externalRef_purl(~"", otp_purl(Name, Version)), ExternalRef1 = maps:remove(~"comment", ExternalRef), Ref1 = maps:remove(~"comment", Ref), + ExpectedVEX = fix_openvex_reference(), + %% check expected external ref ExternalRef1 =:= Ref1 andalso %% check metadata is included in purl - nomatch =/= string:find(RefLoc, ?spdx_purl_meta_data) + nomatch =/= string:find(RefLoc, ?spdx_purl_meta_data) andalso + ExpectedVEX == OpenVex end, OTPPackages), ok. @@ -3202,12 +3224,13 @@ fetch_app_from_table(OTPVersion, App0) -> convert_range(Version) -> string:split(Version, ".", all). - +%% Branch = "otp-28" init_openvex_file(Branch) -> Ts = calendar:system_time_to_rfc3339(erlang:system_time(microsecond), [{unit, microsecond}]), + [~"otp", Version] = string:split(Branch, ~"-"), #{ ~"@context" => ~"https://openvex.dev/ns/v0.2.0", - ~"@id" => <<"https://openvex.dev/docs/public/otp/vex-", Branch/binary>>, + ~"@id" => openvex_iri(Version), ~"author" => ~"vexctl", ~"timestamp" => erlang:list_to_binary(Ts), ~"version" => 1, diff --git a/vex/otp-26.openvex.json b/vex/otp-26.openvex.json index fcd62affa14e..56590d125d26 100644 --- a/vex/otp-26.openvex.json +++ b/vex/otp-26.openvex.json @@ -1,6 +1,6 @@ { "@context": "https://openvex.dev/ns/v0.2.0", - "@id": "https://openvex.dev/docs/public/otp/vex-otp-26", + "@id": "https://erlang.org/download/vex/otp-26.openvex.json", "author": "vexctl", "timestamp": "2025-08-28T16:31:28.818462+02:00", "last_updated": "2025-09-16T08:22:17.722696009Z", diff --git a/vex/otp-27.openvex.json b/vex/otp-27.openvex.json index 03b4279b07e8..c7bdf9818095 100644 --- a/vex/otp-27.openvex.json +++ b/vex/otp-27.openvex.json @@ -1,6 +1,6 @@ { "@context": "https://openvex.dev/ns/v0.2.0", - "@id": "https://openvex.dev/docs/public/otp/vex-otp-27", + "@id": "https://erlang.org/download/vex/otp-27.openvex.json", "author": "vexctl", "timestamp": "2025-08-29T10:32:50.272313+02:00", "last_updated": "2025-09-16T08:22:15.513622151Z", diff --git a/vex/otp-28.openvex.json b/vex/otp-28.openvex.json index ea9ab4ea0775..0fd59a6d9fe9 100644 --- a/vex/otp-28.openvex.json +++ b/vex/otp-28.openvex.json @@ -1,34 +1,106 @@ { "@context": "https://openvex.dev/ns/v0.2.0", - "@id": "https://openvex.dev/docs/public/otp/vex-otp-28", + "@id": "https://erlang.org/download/vex/otp-28.openvex.json", "author": "vexctl", - "timestamp": "2025-08-21T10:55:45.714759+02:00", - "last_updated": "2025-10-03T10:20:24.208677628+02:00", - "version": 30, + "timestamp": "2025-11-28T16:37:17.252127+01:00", + "last_updated": "2025-11-28T16:37:19.835503595+01:00", + "version": 28, "statements": [ { "vulnerability": { - "name": "OSV-2025-300" + "name": "CVE-2025-9232" + }, + "timestamp": "2025-11-28T16:37:19.152493952+01:00", + "products": [ + { + "@id": "pkg:github/openssl/openssl@636dfadc70ce26f2473870570bfd9ec352806b1d" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + }, + { + "vulnerability": { + "name": "CVE-2025-9231" + }, + "timestamp": "2025-11-28T16:37:19.174339053+01:00", + "products": [ + { + "@id": "pkg:github/openssl/openssl@636dfadc70ce26f2473870570bfd9ec352806b1d" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + }, + { + "vulnerability": { + "name": "CVE-2025-9230" + }, + "timestamp": "2025-11-28T16:37:19.200378602+01:00", + "products": [ + { + "@id": "pkg:github/openssl/openssl@636dfadc70ce26f2473870570bfd9ec352806b1d" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + }, + { + "vulnerability": { + "name": "CVE-2016-2183" }, - "timestamp": "2025-08-21T10:55:45.929417984+02:00", + "timestamp": "2025-11-28T16:37:19.228586723+01:00", "products": [ { - "@id": "pkg:github/otp/erlang@OTP-28.0" + "@id": "pkg:github/erlang/otp@OTP-28.0" }, { - "@id": "pkg:otp/erts@16.0" + "@id": "pkg:github/erlang/otp@OTP-28.0.1" }, { - "@id": "pkg:github/otp/erlang@OTP-28.0.1" + "@id": "pkg:github/erlang/otp@OTP-28.0.2" }, { - "@id": "pkg:otp/erts@16.0.1" + "@id": "pkg:github/erlang/otp@OTP-28.0.3" }, { - "@id": "pkg:github/otp/erlang@OTP-28.0.2" + "@id": "pkg:github/erlang/otp@OTP-28.0.4" + }, + { + "@id": "pkg:otp/erl_interface@5.6" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.1.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.2" + }, + { + "@id": "pkg:otp/erl_interface@5.6.1" + }, + { + "@id": "pkg:otp/erts@16.0" + }, + { + "@id": "pkg:otp/erts@16.0.1" }, { "@id": "pkg:otp/erts@16.0.2" + }, + { + "@id": "pkg:otp/erts@16.0.3" + }, + { + "@id": "pkg:otp/erts@16.1" + }, + { + "@id": "pkg:otp/erts@16.1.1" + }, + { + "@id": "pkg:otp/erts@16.1.2" } ], "status": "not_affected", @@ -36,12 +108,12 @@ }, { "vulnerability": { - "name": "OSV-2025-300" + "name": "CVE-2016-2183" }, - "timestamp": "2025-08-21T10:55:45.944352157+02:00", + "timestamp": "2025-11-28T16:37:19.257327952+01:00", "products": [ { - "@id": "pkg:github/PCRE2Project/pcre2@2dce7761b1831fd3f82a9c2bd5476259d945da4d" + "@id": "pkg:github/openssl/openssl@636dfadc70ce26f2473870570bfd9ec352806b1d" } ], "status": "not_affected", @@ -49,35 +121,108 @@ }, { "vulnerability": { - "name": "CVE-2023-45853" + "name": "CVE-2024-58249" }, - "timestamp": "2025-08-21T10:55:45.958540114+02:00", + "timestamp": "2025-11-28T16:37:19.282985088+01:00", "products": [ { - "@id": "pkg:github/madler/zlib@1a8db63788c34a50e39e273d39b7e1033208aea2" + "@id": "pkg:github/erlang/otp@OTP-28.0" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.0.1" + }, + { + "@id": "pkg:otp/wx@2.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.0.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.0.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.0.4" + }, + { + "@id": "pkg:otp/wx@2.5.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.1.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.2" + }, + { + "@id": "pkg:otp/wx@2.5.2" } ], "status": "not_affected", "justification": "vulnerable_code_not_present" }, + { + "vulnerability": { + "name": "CVE-2024-58249" + }, + "timestamp": "2025-11-28T16:37:19.308451813+01:00", + "products": [ + { + "@id": "pkg:github/wxWidgets/wxWidgets@dc585039bbd426829e3433002023a93f9bedd0c2" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + }, + { + "vulnerability": { + "name": "CVE-2025-58050" + }, + "timestamp": "2025-11-28T16:37:19.334486527+01:00", + "products": [ + { + "@id": "pkg:github/PCRE2Project/pcre2@2dce7761b1831fd3f82a9c2bd5476259d945da4d" + } + ], + "status": "under_investigation" + }, { "vulnerability": { "name": "CVE-2025-4575" }, - "timestamp": "2025-08-21T10:55:46.006302174+02:00", + "timestamp": "2025-11-28T16:37:19.365268547+01:00", "products": [ { - "@id": "pkg:github/otp/erlang@OTP-28.0" + "@id": "pkg:github/erlang/otp@OTP-28.0" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.0.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.0.2" }, { - "@id": "pkg:github/otp/erlang@OTP-28.0.1" + "@id": "pkg:github/erlang/otp@OTP-28.0.3" }, { - "@id": "pkg:github/otp/erlang@OTP-28.0.2" + "@id": "pkg:github/erlang/otp@OTP-28.0.4" }, { "@id": "pkg:otp/erl_interface@5.6" }, + { + "@id": "pkg:github/erlang/otp@OTP-28.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.1.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.2" + }, + { + "@id": "pkg:otp/erl_interface@5.6.1" + }, { "@id": "pkg:otp/erts@16.0" }, @@ -86,6 +231,18 @@ }, { "@id": "pkg:otp/erts@16.0.2" + }, + { + "@id": "pkg:otp/erts@16.0.3" + }, + { + "@id": "pkg:otp/erts@16.1" + }, + { + "@id": "pkg:otp/erts@16.1.1" + }, + { + "@id": "pkg:otp/erts@16.1.2" } ], "status": "not_affected", @@ -95,7 +252,7 @@ "vulnerability": { "name": "CVE-2025-4575" }, - "timestamp": "2025-08-21T10:55:46.021839572+02:00", + "timestamp": "2025-11-28T16:37:19.392434763+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -106,21 +263,90 @@ }, { "vulnerability": { - "name": "CVE-2025-58050" + "name": "CVE-2023-45853" }, - "timestamp": "2025-09-04T09:25:22.570231836+02:00", + "timestamp": "2025-11-28T16:37:19.418955628+01:00", + "products": [ + { + "@id": "pkg:github/madler/zlib@1a8db63788c34a50e39e273d39b7e1033208aea2" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + }, + { + "vulnerability": { + "name": "OSV-2025-300" + }, + "timestamp": "2025-11-28T16:37:19.444832526+01:00", + "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-28.0" + }, + { + "@id": "pkg:otp/erts@16.0" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.0.1" + }, + { + "@id": "pkg:otp/erts@16.0.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.0.2" + }, + { + "@id": "pkg:otp/erts@16.0.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.0.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.0.4" + }, + { + "@id": "pkg:otp/erts@16.0.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.1" + }, + { + "@id": "pkg:otp/erts@16.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.1.1" + }, + { + "@id": "pkg:otp/erts@16.1.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.2" + }, + { + "@id": "pkg:otp/erts@16.1.2" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + }, + { + "vulnerability": { + "name": "OSV-2025-300" + }, + "timestamp": "2025-11-28T16:37:19.46934775+01:00", "products": [ { "@id": "pkg:github/PCRE2Project/pcre2@2dce7761b1831fd3f82a9c2bd5476259d945da4d" } ], - "status": "under_investigation" + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { "name": "CVE-2025-4748" }, - "timestamp": "2025-09-16T08:22:13.190565361Z", + "timestamp": "2025-11-28T16:37:19.495731605+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-28.0" @@ -131,13 +357,13 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/stdlib@7.0.1", - "action_statement_timestamp": "2025-09-16T08:22:13.190565361Z" + "action_statement_timestamp": "2025-11-28T16:37:19.495731605+01:00" }, { "vulnerability": { "name": "CVE-2025-4748" }, - "timestamp": "2025-09-16T08:22:13.207073702Z", + "timestamp": "2025-11-28T16:37:19.521691379+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-28.0.1" @@ -152,7 +378,7 @@ "vulnerability": { "name": "CVE-2025-48038" }, - "timestamp": "2025-09-16T08:22:13.223967395Z", + "timestamp": "2025-11-28T16:37:19.548094389+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-28.0" @@ -175,14 +401,20 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.3.3", - "action_statement_timestamp": "2025-09-16T08:22:13.223967395Z" + "action_statement_timestamp": "2025-11-28T16:37:19.548094389+01:00" }, { "vulnerability": { "name": "CVE-2025-48038" }, - "timestamp": "2025-09-16T08:22:13.241103494Z", + "timestamp": "2025-11-28T16:37:19.573033851+01:00", "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-28.1.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.1" + }, { "@id": "pkg:github/erlang/otp@OTP-28.0.4" }, @@ -199,7 +431,7 @@ "vulnerability": { "name": "CVE-2025-48039" }, - "timestamp": "2025-09-16T08:22:13.25833703Z", + "timestamp": "2025-11-28T16:37:19.598036441+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-28.0" @@ -222,14 +454,20 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.3.3", - "action_statement_timestamp": "2025-09-16T08:22:13.25833703Z" + "action_statement_timestamp": "2025-11-28T16:37:19.598036441+01:00" }, { "vulnerability": { "name": "CVE-2025-48039" }, - "timestamp": "2025-09-16T08:22:13.276099885Z", + "timestamp": "2025-11-28T16:37:19.623406739+01:00", "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-28.1.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.1" + }, { "@id": "pkg:github/erlang/otp@OTP-28.0.4" }, @@ -246,7 +484,7 @@ "vulnerability": { "name": "CVE-2025-48040" }, - "timestamp": "2025-09-16T08:22:13.293602631Z", + "timestamp": "2025-11-28T16:37:19.650291101+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-28.0" @@ -269,14 +507,20 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.3.3", - "action_statement_timestamp": "2025-09-16T08:22:13.293602631Z" + "action_statement_timestamp": "2025-11-28T16:37:19.650291101+01:00" }, { "vulnerability": { "name": "CVE-2025-48040" }, - "timestamp": "2025-09-16T08:22:13.310576529Z", + "timestamp": "2025-11-28T16:37:19.677048743+01:00", "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-28.1.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.1" + }, { "@id": "pkg:github/erlang/otp@OTP-28.0.4" }, @@ -293,7 +537,7 @@ "vulnerability": { "name": "CVE-2016-1000107" }, - "timestamp": "2025-09-16T08:22:13.327917962Z", + "timestamp": "2025-11-28T16:37:19.702250279+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-28.0" @@ -313,13 +557,13 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/inets@9.4.1", - "action_statement_timestamp": "2025-09-16T08:22:13.327917962Z" + "action_statement_timestamp": "2025-11-28T16:37:19.702250279+01:00" }, { "vulnerability": { "name": "CVE-2016-1000107" }, - "timestamp": "2025-09-16T08:22:13.344395872Z", + "timestamp": "2025-11-28T16:37:19.730526163+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-28.0.4" @@ -334,7 +578,7 @@ "vulnerability": { "name": "CVE-2025-48041" }, - "timestamp": "2025-09-16T08:22:13.361673347Z", + "timestamp": "2025-11-28T16:37:19.756312677+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-28.0" @@ -357,14 +601,20 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.3.3", - "action_statement_timestamp": "2025-09-16T08:22:13.361673347Z" + "action_statement_timestamp": "2025-11-28T16:37:19.756312677+01:00" }, { "vulnerability": { "name": "CVE-2025-48041" }, - "timestamp": "2025-09-16T08:22:13.378510169Z", + "timestamp": "2025-11-28T16:37:19.781646157+01:00", "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-28.1.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-28.1" + }, { "@id": "pkg:github/erlang/otp@OTP-28.0.4" }, @@ -381,7 +631,7 @@ "vulnerability": { "name": "CVE-2025-58050" }, - "timestamp": "2025-09-16T08:22:13.3955185Z", + "timestamp": "2025-11-28T16:37:19.807315814+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-28.0" @@ -404,13 +654,13 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/erts@16.0.3", - "action_statement_timestamp": "2025-09-16T08:22:13.3955185Z" + "action_statement_timestamp": "2025-11-28T16:37:19.807315814+01:00" }, { "vulnerability": { "name": "CVE-2025-58050" }, - "timestamp": "2025-09-16T08:22:13.412872667Z", + "timestamp": "2025-11-28T16:37:19.835504203+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-28.0.4" @@ -423,157 +673,6 @@ } ], "status": "fixed" - }, - { - "vulnerability": { - "name": "CVE-2024-58249" - }, - "timestamp": "2025-09-18T09:59:20.262521222+02:00", - "products": [ - { - "@id": "pkg:github/erlang/otp@OTP-28.0" - }, - { - "@id": "pkg:github/erlang/otp@OTP-28.0.1" - }, - { - "@id": "pkg:otp/wx@2.5" - }, - { - "@id": "pkg:github/erlang/otp@OTP-28.0.2" - }, - { - "@id": "pkg:github/erlang/otp@OTP-28.0.3" - }, - { - "@id": "pkg:github/erlang/otp@OTP-28.0.4" - }, - { - "@id": "pkg:otp/wx@2.5.1" - }, - { - "@id": "pkg:github/erlang/otp@OTP-28.1" - }, - { - "@id": "pkg:otp/wx@2.5.2" - } - ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" - }, - { - "vulnerability": { - "name": "CVE-2024-58249" - }, - "timestamp": "2025-09-18T09:59:20.278042349+02:00", - "products": [ - { - "@id": "pkg:github/wxWidgets/wxWidgets@dc585039bbd426829e3433002023a93f9bedd0c2" - } - ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" - }, - { - "vulnerability": { - "name": "CVE-2025-9232" - }, - "timestamp": "2025-10-03T10:20:24.13493901+02:00", - "products": [ - { - "@id": "pkg:github/openssl/openssl@636dfadc70ce26f2473870570bfd9ec352806b1d" - } - ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" - }, - { - "vulnerability": { - "name": "CVE-2025-9231" - }, - "timestamp": "2025-10-03T10:20:24.15652644+02:00", - "products": [ - { - "@id": "pkg:github/openssl/openssl@636dfadc70ce26f2473870570bfd9ec352806b1d" - } - ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" - }, - { - "vulnerability": { - "name": "CVE-2025-9230" - }, - "timestamp": "2025-10-03T10:20:24.175534094+02:00", - "products": [ - { - "@id": "pkg:github/openssl/openssl@636dfadc70ce26f2473870570bfd9ec352806b1d" - } - ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" - }, - { - "vulnerability": { - "name": "CVE-2016-2183" - }, - "timestamp": "2025-10-03T10:20:24.191435568+02:00", - "products": [ - { - "@id": "pkg:github/erlang/otp@OTP-28.0" - }, - { - "@id": "pkg:github/erlang/otp@OTP-28.0.1" - }, - { - "@id": "pkg:github/erlang/otp@OTP-28.0.2" - }, - { - "@id": "pkg:github/erlang/otp@OTP-28.0.3" - }, - { - "@id": "pkg:github/erlang/otp@OTP-28.0.4" - }, - { - "@id": "pkg:otp/erl_interface@5.6" - }, - { - "@id": "pkg:github/erlang/otp@OTP-28.1" - }, - { - "@id": "pkg:otp/erl_interface@5.6.1" - }, - { - "@id": "pkg:otp/erts@16.0" - }, - { - "@id": "pkg:otp/erts@16.0.1" - }, - { - "@id": "pkg:otp/erts@16.0.2" - }, - { - "@id": "pkg:otp/erts@16.0.3" - }, - { - "@id": "pkg:otp/erts@16.1" - } - ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" - }, - { - "vulnerability": { - "name": "CVE-2016-2183" - }, - "timestamp": "2025-10-03T10:20:24.208678161+02:00", - "products": [ - { - "@id": "pkg:github/openssl/openssl@636dfadc70ce26f2473870570bfd9ec352806b1d" - } - ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" } ] } From 731ee417dbd2c33b4021913ce72f6bd7a106138a Mon Sep 17 00:00:00 2001 From: Kiko Fernandez-Reyes Date: Mon, 1 Dec 2025 15:58:18 +0100 Subject: [PATCH 3/4] update generation of openvex for 26 and 27 --- vex/otp-26.openvex.json | 1632 +++++++++++++++++++++------------------ vex/otp-27.openvex.json | 957 ++++++++++++++--------- 2 files changed, 1482 insertions(+), 1107 deletions(-) diff --git a/vex/otp-26.openvex.json b/vex/otp-26.openvex.json index 56590d125d26..2ff4dd535d8f 100644 --- a/vex/otp-26.openvex.json +++ b/vex/otp-26.openvex.json @@ -2,103 +2,43 @@ "@context": "https://openvex.dev/ns/v0.2.0", "@id": "https://erlang.org/download/vex/otp-26.openvex.json", "author": "vexctl", - "timestamp": "2025-08-28T16:31:28.818462+02:00", - "last_updated": "2025-09-16T08:22:17.722696009Z", + "timestamp": "2025-12-01T15:55:26.987402+01:00", + "last_updated": "2025-12-01T15:56:22.448586444+01:00", "version": 49, "statements": [ { "vulnerability": { - "name": "CVE-2023-45853" + "name": "CVE-2024-53846" }, - "timestamp": "2025-08-28T16:31:55.029114897+02:00", + "timestamp": "2025-12-01T15:56:20.989476844+01:00", "products": [ - { - "@id": "pkg:github/erlang/otp@OTP-26.0" - }, - { - "@id": "pkg:otp/erts@14.0" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.0.1" - }, - { - "@id": "pkg:otp/erts@14.0.1" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.0.2" - }, - { - "@id": "pkg:otp/erts@14.0.2" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.1" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.1.1" - }, - { - "@id": "pkg:otp/erts@14.1" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.1.2" - }, - { - "@id": "pkg:otp/erts@14.1.1" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2" }, - { - "@id": "pkg:otp/erts@14.2" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.1" }, - { - "@id": "pkg:otp/erts@14.2.1" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.2" }, - { - "@id": "pkg:otp/erts@14.2.2" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.3" }, - { - "@id": "pkg:otp/erts@14.2.3" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.4" }, - { - "@id": "pkg:otp/erts@14.2.4" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.5" }, - { - "@id": "pkg:otp/erts@14.2.5" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.5.1" }, - { - "@id": "pkg:otp/erts@14.2.5.1" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.5.2" }, - { - "@id": "pkg:otp/erts@14.2.5.2" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.5.3" }, - { - "@id": "pkg:otp/erts@14.2.5.3" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.5.4" }, @@ -106,78 +46,60 @@ "@id": "pkg:github/erlang/otp@OTP-26.2.5.5" }, { - "@id": "pkg:otp/erts@14.2.5.4" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.6" - }, - { - "@id": "pkg:otp/erts@14.2.5.5" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.7" - }, - { - "@id": "pkg:otp/erts@14.2.5.6" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.8" - }, - { - "@id": "pkg:otp/erts@14.2.5.7" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.9" + "@id": "pkg:otp/ssl@11.1" }, { - "@id": "pkg:otp/erts@14.2.5.8" + "@id": "pkg:otp/ssl@11.1.1" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" + "@id": "pkg:otp/ssl@11.1.2" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.11" + "@id": "pkg:otp/ssl@11.1.3" }, { - "@id": "pkg:otp/erts@14.2.5.9" + "@id": "pkg:otp/ssl@11.1.4" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" + "@id": "pkg:otp/ssl@11.1.4.1" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" + "@id": "pkg:otp/ssl@11.1.4.2" }, { - "@id": "pkg:otp/erts@14.2.5.10" + "@id": "pkg:otp/ssl@11.1.4.3" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" + "@id": "pkg:otp/ssl@11.1.4.4" }, { - "@id": "pkg:otp/erts@14.2.5.11" + "@id": "pkg:otp/ssl@11.1.4.5" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "affected", + "action_statement": "Update to ssl@11.1.4.6", + "action_statement_timestamp": "2025-12-01T15:56:20.989476844+01:00" }, { "vulnerability": { - "name": "CVE-2023-45853" + "name": "CVE-2024-53846" }, - "timestamp": "2025-08-28T16:31:55.045486705+02:00", + "timestamp": "2025-12-01T15:56:21.030306617+01:00", "products": [ { - "@id": "pkg:github/madler/zlib@04f42ceca40f73e2978b50e93806c2a18c1281fc" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.6" + }, + { + "@id": "pkg:otp/ssl@11.1.4.6" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "fixed" }, { "vulnerability": { - "name": "CVE-2023-6129" + "name": "CVE-2025-30211" }, - "timestamp": "2025-08-28T16:31:55.063693842+02:00", + "timestamp": "2025-12-01T15:56:21.06681791+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -197,18 +119,12 @@ { "@id": "pkg:github/erlang/otp@OTP-26.1.2" }, - { - "@id": "pkg:otp/erl_interface@5.4" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2" }, { "@id": "pkg:github/erlang/otp@OTP-26.2.1" }, - { - "@id": "pkg:otp/erl_interface@5.5" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.2" }, @@ -249,111 +165,69 @@ "@id": "pkg:github/erlang/otp@OTP-26.2.5.9" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.11" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" - }, - { - "@id": "pkg:otp/erl_interface@5.5.1" - }, - { - "@id": "pkg:otp/erts@14.0" - }, - { - "@id": "pkg:otp/erts@14.0.1" - }, - { - "@id": "pkg:otp/erts@14.0.2" - }, - { - "@id": "pkg:otp/erts@14.1" - }, - { - "@id": "pkg:otp/erts@14.1.1" - }, - { - "@id": "pkg:otp/erts@14.2" - }, - { - "@id": "pkg:otp/erts@14.2.1" - }, - { - "@id": "pkg:otp/erts@14.2.2" - }, - { - "@id": "pkg:otp/erts@14.2.3" - }, - { - "@id": "pkg:otp/erts@14.2.4" + "@id": "pkg:otp/ssh@5.0" }, { - "@id": "pkg:otp/erts@14.2.5" + "@id": "pkg:otp/ssh@5.0.1" }, { - "@id": "pkg:otp/erts@14.2.5.1" + "@id": "pkg:otp/ssh@5.1" }, { - "@id": "pkg:otp/erts@14.2.5.2" + "@id": "pkg:otp/ssh@5.1.1" }, { - "@id": "pkg:otp/erts@14.2.5.3" + "@id": "pkg:otp/ssh@5.1.2" }, { - "@id": "pkg:otp/erts@14.2.5.4" + "@id": "pkg:otp/ssh@5.1.3" }, { - "@id": "pkg:otp/erts@14.2.5.5" + "@id": "pkg:otp/ssh@5.1.4" }, { - "@id": "pkg:otp/erts@14.2.5.6" + "@id": "pkg:otp/ssh@5.1.4.1" }, { - "@id": "pkg:otp/erts@14.2.5.7" + "@id": "pkg:otp/ssh@5.1.4.2" }, { - "@id": "pkg:otp/erts@14.2.5.8" + "@id": "pkg:otp/ssh@5.1.4.3" }, { - "@id": "pkg:otp/erts@14.2.5.9" + "@id": "pkg:otp/ssh@5.1.4.4" }, { - "@id": "pkg:otp/erts@14.2.5.10" + "@id": "pkg:otp/ssh@5.1.4.5" }, { - "@id": "pkg:otp/erts@14.2.5.11" + "@id": "pkg:otp/ssh@5.1.4.6" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "affected", + "action_statement": "Workaround: set option `parallel_login` to false. Reduce `max_sessions` option.", + "action_statement_timestamp": "2025-12-01T15:56:21.06681791+01:00" }, { "vulnerability": { - "name": "CVE-2023-6129" + "name": "CVE-2025-30211" }, - "timestamp": "2025-08-28T16:31:55.079739995+02:00", + "timestamp": "2025-12-01T15:56:21.101017611+01:00", "products": [ { - "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" + }, + { + "@id": "pkg:otp/ssh@5.1.4.7" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "fixed" }, { "vulnerability": { - "name": "CVE-2023-6237" + "name": "CVE-2025-4748" }, - "timestamp": "2025-08-28T16:31:55.096285731+02:00", + "timestamp": "2025-12-01T15:56:21.139026356+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -373,18 +247,12 @@ { "@id": "pkg:github/erlang/otp@OTP-26.1.2" }, - { - "@id": "pkg:otp/erl_interface@5.4" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2" }, { "@id": "pkg:github/erlang/otp@OTP-26.2.1" }, - { - "@id": "pkg:otp/erl_interface@5.5" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.2" }, @@ -434,133 +302,70 @@ "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" + "@id": "pkg:otp/stdlib@5.0" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" + "@id": "pkg:otp/stdlib@5.0.1" }, { - "@id": "pkg:otp/erl_interface@5.5.1" + "@id": "pkg:otp/stdlib@5.0.2" }, { - "@id": "pkg:otp/erts@14.0" + "@id": "pkg:otp/stdlib@5.1" }, { - "@id": "pkg:otp/erts@14.0.1" + "@id": "pkg:otp/stdlib@5.1.1" }, { - "@id": "pkg:otp/erts@14.0.2" + "@id": "pkg:otp/stdlib@5.2" }, { - "@id": "pkg:otp/erts@14.1" + "@id": "pkg:otp/stdlib@5.2.1" }, { - "@id": "pkg:otp/erts@14.1.1" + "@id": "pkg:otp/stdlib@5.2.2" }, { - "@id": "pkg:otp/erts@14.2" + "@id": "pkg:otp/stdlib@5.2.3" }, { - "@id": "pkg:otp/erts@14.2.1" + "@id": "pkg:otp/stdlib@5.2.3.1" }, { - "@id": "pkg:otp/erts@14.2.2" + "@id": "pkg:otp/stdlib@5.2.3.2" }, { - "@id": "pkg:otp/erts@14.2.3" - }, + "@id": "pkg:otp/stdlib@5.2.3.3" + } + ], + "status": "affected", + "action_statement": "Mitigation: Update to pkg:otp/stdlib@5.2.3.4", + "action_statement_timestamp": "2025-12-01T15:56:21.139026356+01:00" + }, + { + "vulnerability": { + "name": "CVE-2025-4748" + }, + "timestamp": "2025-12-01T15:56:21.173730171+01:00", + "products": [ { - "@id": "pkg:otp/erts@14.2.4" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" }, { - "@id": "pkg:otp/erts@14.2.5" - }, - { - "@id": "pkg:otp/erts@14.2.5.1" - }, - { - "@id": "pkg:otp/erts@14.2.5.2" - }, - { - "@id": "pkg:otp/erts@14.2.5.3" - }, - { - "@id": "pkg:otp/erts@14.2.5.4" - }, - { - "@id": "pkg:otp/erts@14.2.5.5" - }, - { - "@id": "pkg:otp/erts@14.2.5.6" - }, - { - "@id": "pkg:otp/erts@14.2.5.7" - }, - { - "@id": "pkg:otp/erts@14.2.5.8" - }, - { - "@id": "pkg:otp/erts@14.2.5.9" - }, - { - "@id": "pkg:otp/erts@14.2.5.10" - }, - { - "@id": "pkg:otp/erts@14.2.5.11" - } - ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" - }, - { - "vulnerability": { - "name": "CVE-2023-6237" - }, - "timestamp": "2025-08-28T16:31:55.111514072+02:00", - "products": [ - { - "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" + "@id": "pkg:otp/stdlib@5.2.3.4" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "fixed" }, { "vulnerability": { - "name": "CVE-2024-0727" + "name": "CVE-2025-46712" }, - "timestamp": "2025-08-28T16:31:55.128132987+02:00", + "timestamp": "2025-12-01T15:56:21.20631949+01:00", "products": [ - { - "@id": "pkg:github/erlang/otp@OTP-26.0" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.0.1" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.0.2" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.1" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.1.1" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.1.2" - }, - { - "@id": "pkg:otp/erl_interface@5.4" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.1" }, - { - "@id": "pkg:otp/erl_interface@5.5" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.2" }, @@ -607,105 +412,66 @@ "@id": "pkg:github/erlang/otp@OTP-26.2.5.11" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" - }, - { - "@id": "pkg:otp/erl_interface@5.5.1" - }, - { - "@id": "pkg:otp/erts@14.0" - }, - { - "@id": "pkg:otp/erts@14.0.1" - }, - { - "@id": "pkg:otp/erts@14.0.2" - }, - { - "@id": "pkg:otp/erts@14.1" - }, - { - "@id": "pkg:otp/erts@14.1.1" - }, - { - "@id": "pkg:otp/erts@14.2" - }, - { - "@id": "pkg:otp/erts@14.2.1" - }, - { - "@id": "pkg:otp/erts@14.2.2" - }, - { - "@id": "pkg:otp/erts@14.2.3" - }, - { - "@id": "pkg:otp/erts@14.2.4" - }, - { - "@id": "pkg:otp/erts@14.2.5" + "@id": "pkg:otp/ssh@5.1.1" }, { - "@id": "pkg:otp/erts@14.2.5.1" + "@id": "pkg:otp/ssh@5.1.2" }, { - "@id": "pkg:otp/erts@14.2.5.2" + "@id": "pkg:otp/ssh@5.1.3" }, { - "@id": "pkg:otp/erts@14.2.5.3" + "@id": "pkg:otp/ssh@5.1.4" }, { - "@id": "pkg:otp/erts@14.2.5.4" + "@id": "pkg:otp/ssh@5.1.4.1" }, { - "@id": "pkg:otp/erts@14.2.5.5" + "@id": "pkg:otp/ssh@5.1.4.2" }, { - "@id": "pkg:otp/erts@14.2.5.6" + "@id": "pkg:otp/ssh@5.1.4.3" }, { - "@id": "pkg:otp/erts@14.2.5.7" + "@id": "pkg:otp/ssh@5.1.4.4" }, { - "@id": "pkg:otp/erts@14.2.5.8" + "@id": "pkg:otp/ssh@5.1.4.5" }, { - "@id": "pkg:otp/erts@14.2.5.9" + "@id": "pkg:otp/ssh@5.1.4.6" }, { - "@id": "pkg:otp/erts@14.2.5.10" + "@id": "pkg:otp/ssh@5.1.4.7" }, { - "@id": "pkg:otp/erts@14.2.5.11" + "@id": "pkg:otp/ssh@5.1.4.8" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "affected", + "action_statement": "Update to the next version", + "action_statement_timestamp": "2025-12-01T15:56:21.20631949+01:00" }, { "vulnerability": { - "name": "CVE-2024-0727" + "name": "CVE-2025-46712" }, - "timestamp": "2025-08-28T16:31:55.143175048+02:00", + "timestamp": "2025-12-01T15:56:21.241667223+01:00", "products": [ { - "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" + }, + { + "@id": "pkg:otp/ssh@5.1.4.9" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "fixed" }, { "vulnerability": { - "name": "CVE-2024-13176" + "name": "CVE-2025-32433" }, - "timestamp": "2025-08-28T16:31:55.159744964+02:00", + "timestamp": "2025-12-01T15:56:21.277243405+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -725,18 +491,12 @@ { "@id": "pkg:github/erlang/otp@OTP-26.1.2" }, - { - "@id": "pkg:otp/erl_interface@5.4" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2" }, { "@id": "pkg:github/erlang/otp@OTP-26.2.1" }, - { - "@id": "pkg:otp/erl_interface@5.5" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.2" }, @@ -780,108 +540,72 @@ "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.11" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" - }, - { - "@id": "pkg:otp/erl_interface@5.5.1" - }, - { - "@id": "pkg:otp/erts@14.0" - }, - { - "@id": "pkg:otp/erts@14.0.1" - }, - { - "@id": "pkg:otp/erts@14.0.2" - }, - { - "@id": "pkg:otp/erts@14.1" - }, - { - "@id": "pkg:otp/erts@14.1.1" - }, - { - "@id": "pkg:otp/erts@14.2" - }, - { - "@id": "pkg:otp/erts@14.2.1" - }, - { - "@id": "pkg:otp/erts@14.2.2" - }, - { - "@id": "pkg:otp/erts@14.2.3" + "@id": "pkg:otp/ssh@5.0" }, { - "@id": "pkg:otp/erts@14.2.4" + "@id": "pkg:otp/ssh@5.0.1" }, { - "@id": "pkg:otp/erts@14.2.5" + "@id": "pkg:otp/ssh@5.1" }, { - "@id": "pkg:otp/erts@14.2.5.1" + "@id": "pkg:otp/ssh@5.1.1" }, { - "@id": "pkg:otp/erts@14.2.5.2" + "@id": "pkg:otp/ssh@5.1.2" }, { - "@id": "pkg:otp/erts@14.2.5.3" + "@id": "pkg:otp/ssh@5.1.3" }, { - "@id": "pkg:otp/erts@14.2.5.4" + "@id": "pkg:otp/ssh@5.1.4" }, { - "@id": "pkg:otp/erts@14.2.5.5" + "@id": "pkg:otp/ssh@5.1.4.1" }, { - "@id": "pkg:otp/erts@14.2.5.6" + "@id": "pkg:otp/ssh@5.1.4.2" }, { - "@id": "pkg:otp/erts@14.2.5.7" + "@id": "pkg:otp/ssh@5.1.4.3" }, { - "@id": "pkg:otp/erts@14.2.5.8" + "@id": "pkg:otp/ssh@5.1.4.4" }, { - "@id": "pkg:otp/erts@14.2.5.9" + "@id": "pkg:otp/ssh@5.1.4.5" }, { - "@id": "pkg:otp/erts@14.2.5.10" + "@id": "pkg:otp/ssh@5.1.4.6" }, { - "@id": "pkg:otp/erts@14.2.5.11" + "@id": "pkg:otp/ssh@5.1.4.7" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "affected", + "action_statement": "A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.", + "action_statement_timestamp": "2025-12-01T15:56:21.277243405+01:00" }, { "vulnerability": { - "name": "CVE-2024-13176" + "name": "CVE-2025-32433" }, - "timestamp": "2025-08-28T16:31:55.175145774+02:00", + "timestamp": "2025-12-01T15:56:21.307814821+01:00", "products": [ { - "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.11" + }, + { + "@id": "pkg:otp/ssh@5.1.4.8" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "fixed" }, { "vulnerability": { - "name": "CVE-2024-2511" + "name": "CVE-2025-26618" }, - "timestamp": "2025-08-28T16:31:55.192243703+02:00", + "timestamp": "2025-12-01T15:56:21.33978739+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -901,18 +625,12 @@ { "@id": "pkg:github/erlang/otp@OTP-26.1.2" }, - { - "@id": "pkg:otp/erl_interface@5.4" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2" }, { "@id": "pkg:github/erlang/otp@OTP-26.2.1" }, - { - "@id": "pkg:otp/erl_interface@5.5" - }, { "@id": "pkg:github/erlang/otp@OTP-26.2.2" }, @@ -950,114 +668,98 @@ "@id": "pkg:github/erlang/otp@OTP-26.2.5.8" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.9" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.11" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" - }, - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" - }, - { - "@id": "pkg:otp/erl_interface@5.5.1" - }, - { - "@id": "pkg:otp/erts@14.0" - }, - { - "@id": "pkg:otp/erts@14.0.1" - }, - { - "@id": "pkg:otp/erts@14.0.2" - }, - { - "@id": "pkg:otp/erts@14.1" - }, - { - "@id": "pkg:otp/erts@14.1.1" - }, - { - "@id": "pkg:otp/erts@14.2" - }, - { - "@id": "pkg:otp/erts@14.2.1" + "@id": "pkg:otp/ssh@5.0" }, { - "@id": "pkg:otp/erts@14.2.2" + "@id": "pkg:otp/ssh@5.0.1" }, { - "@id": "pkg:otp/erts@14.2.3" + "@id": "pkg:otp/ssh@5.1" }, { - "@id": "pkg:otp/erts@14.2.4" + "@id": "pkg:otp/ssh@5.1.1" }, { - "@id": "pkg:otp/erts@14.2.5" + "@id": "pkg:otp/ssh@5.1.2" }, { - "@id": "pkg:otp/erts@14.2.5.1" + "@id": "pkg:otp/ssh@5.1.3" }, { - "@id": "pkg:otp/erts@14.2.5.2" + "@id": "pkg:otp/ssh@5.1.4" }, { - "@id": "pkg:otp/erts@14.2.5.3" + "@id": "pkg:otp/ssh@5.1.4.1" }, { - "@id": "pkg:otp/erts@14.2.5.4" + "@id": "pkg:otp/ssh@5.1.4.2" }, { - "@id": "pkg:otp/erts@14.2.5.5" + "@id": "pkg:otp/ssh@5.1.4.3" }, { - "@id": "pkg:otp/erts@14.2.5.6" + "@id": "pkg:otp/ssh@5.1.4.4" }, { - "@id": "pkg:otp/erts@14.2.5.7" - }, + "@id": "pkg:otp/ssh@5.1.4.5" + } + ], + "status": "affected", + "action_statement": "Update to the next version", + "action_statement_timestamp": "2025-12-01T15:56:21.33978739+01:00" + }, + { + "vulnerability": { + "name": "CVE-2025-26618" + }, + "timestamp": "2025-12-01T15:56:21.365223261+01:00", + "products": [ { - "@id": "pkg:otp/erts@14.2.5.8" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.9" }, { - "@id": "pkg:otp/erts@14.2.5.9" - }, + "@id": "pkg:otp/ssh@5.1.4.6" + } + ], + "status": "fixed" + }, + { + "vulnerability": { + "name": "CVE-2023-48795" + }, + "timestamp": "2025-12-01T15:56:21.392441978+01:00", + "products": [ { - "@id": "pkg:otp/erts@14.2.5.10" + "@id": "pkg:github/erlang/otp@OTP-26.2" }, { - "@id": "pkg:otp/erts@14.2.5.11" + "@id": "pkg:otp/ssh@5.1" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "affected", + "action_statement": "Mitigation: If strict KEX availability cannot be ensured on both connection sides, affected encryption modes(CHACHA and CBC) can be disabled with standard ssh configuration. This will provide protection against vulnerability, but at a cost of affecting interoperability", + "action_statement_timestamp": "2025-12-01T15:56:21.392441978+01:00" }, { "vulnerability": { - "name": "CVE-2024-2511" + "name": "CVE-2023-48795" }, - "timestamp": "2025-08-28T16:31:55.20791825+02:00", + "timestamp": "2025-12-01T15:56:21.417431452+01:00", "products": [ { - "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" + "@id": "pkg:github/erlang/otp@OTP-26.2.1" + }, + { + "@id": "pkg:otp/ssh@5.1.1" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "fixed" }, { "vulnerability": { - "name": "CVE-2024-4603" + "name": "CVE-2025-4575" }, - "timestamp": "2025-08-28T16:31:55.225863181+02:00", + "timestamp": "2025-12-01T15:56:21.448755654+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -1143,6 +845,12 @@ { "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.16" + }, { "@id": "pkg:otp/erl_interface@5.5.1" }, @@ -1211,6 +919,9 @@ }, { "@id": "pkg:otp/erts@14.2.5.11" + }, + { + "@id": "pkg:otp/erts@14.2.5.12" } ], "status": "not_affected", @@ -1218,9 +929,9 @@ }, { "vulnerability": { - "name": "CVE-2024-4603" + "name": "CVE-2025-4575" }, - "timestamp": "2025-08-28T16:31:55.242417476+02:00", + "timestamp": "2025-12-01T15:56:21.479097623+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -1231,9 +942,9 @@ }, { "vulnerability": { - "name": "CVE-2024-4741" + "name": "CVE-2024-9143" }, - "timestamp": "2025-08-28T16:31:55.261081431+02:00", + "timestamp": "2025-12-01T15:56:21.509652185+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -1319,6 +1030,12 @@ { "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.16" + }, { "@id": "pkg:otp/erl_interface@5.5.1" }, @@ -1387,6 +1104,9 @@ }, { "@id": "pkg:otp/erts@14.2.5.11" + }, + { + "@id": "pkg:otp/erts@14.2.5.12" } ], "status": "not_affected", @@ -1394,9 +1114,9 @@ }, { "vulnerability": { - "name": "CVE-2024-4741" + "name": "CVE-2024-9143" }, - "timestamp": "2025-08-28T16:31:55.279844704+02:00", + "timestamp": "2025-12-01T15:56:21.535987804+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -1407,9 +1127,9 @@ }, { "vulnerability": { - "name": "CVE-2024-5535" + "name": "CVE-2024-6119" }, - "timestamp": "2025-08-28T16:31:55.296948372+02:00", + "timestamp": "2025-12-01T15:56:21.564527112+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -1495,6 +1215,12 @@ { "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.16" + }, { "@id": "pkg:otp/erl_interface@5.5.1" }, @@ -1563,6 +1289,9 @@ }, { "@id": "pkg:otp/erts@14.2.5.11" + }, + { + "@id": "pkg:otp/erts@14.2.5.12" } ], "status": "not_affected", @@ -1570,9 +1299,9 @@ }, { "vulnerability": { - "name": "CVE-2024-5535" + "name": "CVE-2024-6119" }, - "timestamp": "2025-08-28T16:31:55.314429632+02:00", + "timestamp": "2025-12-01T15:56:21.591262725+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -1583,9 +1312,9 @@ }, { "vulnerability": { - "name": "CVE-2024-6119" + "name": "CVE-2024-5535" }, - "timestamp": "2025-08-28T16:31:55.330535133+02:00", + "timestamp": "2025-12-01T15:56:21.617896062+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -1671,6 +1400,12 @@ { "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.16" + }, { "@id": "pkg:otp/erl_interface@5.5.1" }, @@ -1739,6 +1474,9 @@ }, { "@id": "pkg:otp/erts@14.2.5.11" + }, + { + "@id": "pkg:otp/erts@14.2.5.12" } ], "status": "not_affected", @@ -1746,9 +1484,9 @@ }, { "vulnerability": { - "name": "CVE-2024-6119" + "name": "CVE-2024-5535" }, - "timestamp": "2025-08-28T16:31:55.348214348+02:00", + "timestamp": "2025-12-01T15:56:21.643516949+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -1759,9 +1497,9 @@ }, { "vulnerability": { - "name": "CVE-2024-9143" + "name": "CVE-2024-4741" }, - "timestamp": "2025-08-28T16:31:55.364788347+02:00", + "timestamp": "2025-12-01T15:56:21.672918715+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -1847,6 +1585,12 @@ { "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.16" + }, { "@id": "pkg:otp/erl_interface@5.5.1" }, @@ -1915,6 +1659,9 @@ }, { "@id": "pkg:otp/erts@14.2.5.11" + }, + { + "@id": "pkg:otp/erts@14.2.5.12" } ], "status": "not_affected", @@ -1922,9 +1669,9 @@ }, { "vulnerability": { - "name": "CVE-2024-9143" + "name": "CVE-2024-4741" }, - "timestamp": "2025-08-28T16:31:55.381752889+02:00", + "timestamp": "2025-12-01T15:56:21.703385522+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -1935,9 +1682,9 @@ }, { "vulnerability": { - "name": "CVE-2025-4575" + "name": "CVE-2024-4603" }, - "timestamp": "2025-08-28T16:31:55.398898447+02:00", + "timestamp": "2025-12-01T15:56:21.736471381+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -2023,6 +1770,12 @@ { "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.16" + }, { "@id": "pkg:otp/erl_interface@5.5.1" }, @@ -2091,6 +1844,9 @@ }, { "@id": "pkg:otp/erts@14.2.5.11" + }, + { + "@id": "pkg:otp/erts@14.2.5.12" } ], "status": "not_affected", @@ -2098,9 +1854,9 @@ }, { "vulnerability": { - "name": "CVE-2025-4575" + "name": "CVE-2024-4603" }, - "timestamp": "2025-08-28T16:31:55.415390248+02:00", + "timestamp": "2025-12-01T15:56:21.767795119+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -2111,41 +1867,9 @@ }, { "vulnerability": { - "name": "CVE-2023-48795" - }, - "timestamp": "2025-08-28T16:31:55.433429189+02:00", - "products": [ - { - "@id": "pkg:github/erlang/otp@OTP-26.2" - }, - { - "@id": "pkg:otp/ssh@5.1" - } - ], - "status": "affected", - "action_statement": "Mitigation: If strict KEX availability cannot be ensured on both connection sides, affected encryption modes(CHACHA and CBC) can be disabled with standard ssh configuration. This will provide protection against vulnerability, but at a cost of affecting interoperability", - "action_statement_timestamp": "2025-08-28T16:31:55.433429189+02:00" - }, - { - "vulnerability": { - "name": "CVE-2023-48795" - }, - "timestamp": "2025-08-28T16:31:55.449852183+02:00", - "products": [ - { - "@id": "pkg:github/erlang/otp@OTP-26.2.1" - }, - { - "@id": "pkg:otp/ssh@5.1.1" - } - ], - "status": "fixed" - }, - { - "vulnerability": { - "name": "CVE-2025-26618" + "name": "CVE-2024-2511" }, - "timestamp": "2025-08-28T16:31:55.467500309+02:00", + "timestamp": "2025-12-01T15:56:21.803420313+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -2165,12 +1889,18 @@ { "@id": "pkg:github/erlang/otp@OTP-26.1.2" }, + { + "@id": "pkg:otp/erl_interface@5.4" + }, { "@id": "pkg:github/erlang/otp@OTP-26.2" }, { "@id": "pkg:github/erlang/otp@OTP-26.2.1" }, + { + "@id": "pkg:otp/erl_interface@5.5" + }, { "@id": "pkg:github/erlang/otp@OTP-26.2.2" }, @@ -2208,310 +1938,308 @@ "@id": "pkg:github/erlang/otp@OTP-26.2.5.8" }, { - "@id": "pkg:otp/ssh@5.0" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.9" }, { - "@id": "pkg:otp/ssh@5.0.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" }, { - "@id": "pkg:otp/ssh@5.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.11" }, { - "@id": "pkg:otp/ssh@5.1.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" }, { - "@id": "pkg:otp/ssh@5.1.2" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" }, { - "@id": "pkg:otp/ssh@5.1.3" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" }, { - "@id": "pkg:otp/ssh@5.1.4" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" }, { - "@id": "pkg:otp/ssh@5.1.4.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.16" }, { - "@id": "pkg:otp/ssh@5.1.4.2" + "@id": "pkg:otp/erl_interface@5.5.1" }, { - "@id": "pkg:otp/ssh@5.1.4.3" + "@id": "pkg:otp/erts@14.0" }, { - "@id": "pkg:otp/ssh@5.1.4.4" + "@id": "pkg:otp/erts@14.0.1" }, { - "@id": "pkg:otp/ssh@5.1.4.5" - } - ], - "status": "affected", - "action_statement": "Update to the next version", - "action_statement_timestamp": "2025-08-28T16:31:55.467500309+02:00" - }, - { - "vulnerability": { - "name": "CVE-2025-26618" - }, - "timestamp": "2025-08-28T16:31:55.484858368+02:00", - "products": [ - { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.9" + "@id": "pkg:otp/erts@14.0.2" }, { - "@id": "pkg:otp/ssh@5.1.4.6" - } - ], - "status": "fixed" - }, - { - "vulnerability": { - "name": "CVE-2025-32433" - }, - "timestamp": "2025-08-28T16:31:55.503170489+02:00", - "products": [ - { - "@id": "pkg:github/erlang/otp@OTP-26.0" + "@id": "pkg:otp/erts@14.1" }, { - "@id": "pkg:github/erlang/otp@OTP-26.0.1" + "@id": "pkg:otp/erts@14.1.1" }, { - "@id": "pkg:github/erlang/otp@OTP-26.0.2" + "@id": "pkg:otp/erts@14.2" }, { - "@id": "pkg:github/erlang/otp@OTP-26.1" + "@id": "pkg:otp/erts@14.2.1" }, { - "@id": "pkg:github/erlang/otp@OTP-26.1.1" + "@id": "pkg:otp/erts@14.2.2" }, { - "@id": "pkg:github/erlang/otp@OTP-26.1.2" + "@id": "pkg:otp/erts@14.2.3" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2" + "@id": "pkg:otp/erts@14.2.4" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.1" + "@id": "pkg:otp/erts@14.2.5" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.2" + "@id": "pkg:otp/erts@14.2.5.1" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.3" + "@id": "pkg:otp/erts@14.2.5.2" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.4" + "@id": "pkg:otp/erts@14.2.5.3" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5" + "@id": "pkg:otp/erts@14.2.5.4" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.1" + "@id": "pkg:otp/erts@14.2.5.5" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.2" + "@id": "pkg:otp/erts@14.2.5.6" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.3" + "@id": "pkg:otp/erts@14.2.5.7" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.4" + "@id": "pkg:otp/erts@14.2.5.8" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.5" + "@id": "pkg:otp/erts@14.2.5.9" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.6" + "@id": "pkg:otp/erts@14.2.5.10" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.7" + "@id": "pkg:otp/erts@14.2.5.11" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.8" + "@id": "pkg:otp/erts@14.2.5.12" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + }, + { + "vulnerability": { + "name": "CVE-2024-2511" + }, + "timestamp": "2025-12-01T15:56:21.832344748+01:00", + "products": [ + { + "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + }, + { + "vulnerability": { + "name": "CVE-2024-13176" + }, + "timestamp": "2025-12-01T15:56:21.861177421+01:00", + "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-26.0" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.9" + "@id": "pkg:github/erlang/otp@OTP-26.0.1" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" + "@id": "pkg:github/erlang/otp@OTP-26.0.2" }, { - "@id": "pkg:otp/ssh@5.0" + "@id": "pkg:github/erlang/otp@OTP-26.1" }, { - "@id": "pkg:otp/ssh@5.0.1" + "@id": "pkg:github/erlang/otp@OTP-26.1.1" }, { - "@id": "pkg:otp/ssh@5.1" + "@id": "pkg:github/erlang/otp@OTP-26.1.2" }, { - "@id": "pkg:otp/ssh@5.1.1" + "@id": "pkg:otp/erl_interface@5.4" }, { - "@id": "pkg:otp/ssh@5.1.2" + "@id": "pkg:github/erlang/otp@OTP-26.2" }, { - "@id": "pkg:otp/ssh@5.1.3" + "@id": "pkg:github/erlang/otp@OTP-26.2.1" }, { - "@id": "pkg:otp/ssh@5.1.4" + "@id": "pkg:otp/erl_interface@5.5" }, { - "@id": "pkg:otp/ssh@5.1.4.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.2" }, { - "@id": "pkg:otp/ssh@5.1.4.2" + "@id": "pkg:github/erlang/otp@OTP-26.2.3" }, { - "@id": "pkg:otp/ssh@5.1.4.3" + "@id": "pkg:github/erlang/otp@OTP-26.2.4" }, { - "@id": "pkg:otp/ssh@5.1.4.4" + "@id": "pkg:github/erlang/otp@OTP-26.2.5" }, { - "@id": "pkg:otp/ssh@5.1.4.5" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.1" }, { - "@id": "pkg:otp/ssh@5.1.4.6" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.2" }, { - "@id": "pkg:otp/ssh@5.1.4.7" - } - ], - "status": "affected", - "action_statement": "A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.", - "action_statement_timestamp": "2025-08-28T16:31:55.503170489+02:00" - }, - { - "vulnerability": { - "name": "CVE-2025-32433" - }, - "timestamp": "2025-08-28T16:31:55.519994676+02:00", - "products": [ + "@id": "pkg:github/erlang/otp@OTP-26.2.5.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.6" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.7" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.8" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.9" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" + }, { "@id": "pkg:github/erlang/otp@OTP-26.2.5.11" }, { - "@id": "pkg:otp/ssh@5.1.4.8" - } - ], - "status": "fixed" - }, - { - "vulnerability": { - "name": "CVE-2025-46712" - }, - "timestamp": "2025-08-28T16:31:55.538537108+02:00", - "products": [ + "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" + }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.2" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.3" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.4" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.16" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5" + "@id": "pkg:otp/erl_interface@5.5.1" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.1" + "@id": "pkg:otp/erts@14.0" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.2" + "@id": "pkg:otp/erts@14.0.1" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.3" + "@id": "pkg:otp/erts@14.0.2" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.4" + "@id": "pkg:otp/erts@14.1" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.5" + "@id": "pkg:otp/erts@14.1.1" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.6" + "@id": "pkg:otp/erts@14.2" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.7" + "@id": "pkg:otp/erts@14.2.1" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.8" + "@id": "pkg:otp/erts@14.2.2" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.9" + "@id": "pkg:otp/erts@14.2.3" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" + "@id": "pkg:otp/erts@14.2.4" }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.11" + "@id": "pkg:otp/erts@14.2.5" }, { - "@id": "pkg:otp/ssh@5.1.1" + "@id": "pkg:otp/erts@14.2.5.1" }, { - "@id": "pkg:otp/ssh@5.1.2" + "@id": "pkg:otp/erts@14.2.5.2" }, { - "@id": "pkg:otp/ssh@5.1.3" + "@id": "pkg:otp/erts@14.2.5.3" }, { - "@id": "pkg:otp/ssh@5.1.4" + "@id": "pkg:otp/erts@14.2.5.4" }, { - "@id": "pkg:otp/ssh@5.1.4.1" + "@id": "pkg:otp/erts@14.2.5.5" }, { - "@id": "pkg:otp/ssh@5.1.4.2" + "@id": "pkg:otp/erts@14.2.5.6" }, { - "@id": "pkg:otp/ssh@5.1.4.3" + "@id": "pkg:otp/erts@14.2.5.7" }, { - "@id": "pkg:otp/ssh@5.1.4.4" + "@id": "pkg:otp/erts@14.2.5.8" }, { - "@id": "pkg:otp/ssh@5.1.4.5" + "@id": "pkg:otp/erts@14.2.5.9" }, { - "@id": "pkg:otp/ssh@5.1.4.6" + "@id": "pkg:otp/erts@14.2.5.10" }, { - "@id": "pkg:otp/ssh@5.1.4.7" + "@id": "pkg:otp/erts@14.2.5.11" }, { - "@id": "pkg:otp/ssh@5.1.4.8" + "@id": "pkg:otp/erts@14.2.5.12" } ], - "status": "affected", - "action_statement": "Update to the next version", - "action_statement_timestamp": "2025-08-28T16:31:55.538537108+02:00" + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { - "name": "CVE-2025-46712" + "name": "CVE-2024-13176" }, - "timestamp": "2025-08-28T16:31:55.55674843+02:00", + "timestamp": "2025-12-01T15:56:21.891029676+01:00", "products": [ { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" - }, - { - "@id": "pkg:otp/ssh@5.1.4.9" + "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" } ], - "status": "fixed" + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { - "name": "CVE-2025-4748" + "name": "CVE-2024-0727" }, - "timestamp": "2025-08-28T16:31:55.573170701+02:00", + "timestamp": "2025-12-01T15:56:21.921320015+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -2531,12 +2259,18 @@ { "@id": "pkg:github/erlang/otp@OTP-26.1.2" }, + { + "@id": "pkg:otp/erl_interface@5.4" + }, { "@id": "pkg:github/erlang/otp@OTP-26.2" }, { "@id": "pkg:github/erlang/otp@OTP-26.2.1" }, + { + "@id": "pkg:otp/erl_interface@5.5" + }, { "@id": "pkg:github/erlang/otp@OTP-26.2.2" }, @@ -2586,66 +2320,111 @@ "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" }, { - "@id": "pkg:otp/stdlib@5.0" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" }, { - "@id": "pkg:otp/stdlib@5.0.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" }, { - "@id": "pkg:otp/stdlib@5.0.2" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" }, { - "@id": "pkg:otp/stdlib@5.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.16" }, { - "@id": "pkg:otp/stdlib@5.1.1" + "@id": "pkg:otp/erl_interface@5.5.1" }, { - "@id": "pkg:otp/stdlib@5.2" + "@id": "pkg:otp/erts@14.0" }, { - "@id": "pkg:otp/stdlib@5.2.1" + "@id": "pkg:otp/erts@14.0.1" }, { - "@id": "pkg:otp/stdlib@5.2.2" + "@id": "pkg:otp/erts@14.0.2" }, { - "@id": "pkg:otp/stdlib@5.2.3" + "@id": "pkg:otp/erts@14.1" }, { - "@id": "pkg:otp/stdlib@5.2.3.1" + "@id": "pkg:otp/erts@14.1.1" }, { - "@id": "pkg:otp/stdlib@5.2.3.2" + "@id": "pkg:otp/erts@14.2" }, { - "@id": "pkg:otp/stdlib@5.2.3.3" - } - ], - "status": "affected", - "action_statement": "Mitigation: Update to pkg:otp/stdlib@5.2.3.4", - "action_statement_timestamp": "2025-08-28T16:31:55.573170701+02:00" - }, - { - "vulnerability": { - "name": "CVE-2025-4748" - }, - "timestamp": "2025-08-28T16:31:55.590601204+02:00", - "products": [ + "@id": "pkg:otp/erts@14.2.1" + }, { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" + "@id": "pkg:otp/erts@14.2.2" }, { - "@id": "pkg:otp/stdlib@5.2.3.4" - } - ], - "status": "fixed" - }, - { - "vulnerability": { - "name": "CVE-2025-30211" + "@id": "pkg:otp/erts@14.2.3" + }, + { + "@id": "pkg:otp/erts@14.2.4" + }, + { + "@id": "pkg:otp/erts@14.2.5" + }, + { + "@id": "pkg:otp/erts@14.2.5.1" + }, + { + "@id": "pkg:otp/erts@14.2.5.2" + }, + { + "@id": "pkg:otp/erts@14.2.5.3" + }, + { + "@id": "pkg:otp/erts@14.2.5.4" + }, + { + "@id": "pkg:otp/erts@14.2.5.5" + }, + { + "@id": "pkg:otp/erts@14.2.5.6" + }, + { + "@id": "pkg:otp/erts@14.2.5.7" + }, + { + "@id": "pkg:otp/erts@14.2.5.8" + }, + { + "@id": "pkg:otp/erts@14.2.5.9" + }, + { + "@id": "pkg:otp/erts@14.2.5.10" + }, + { + "@id": "pkg:otp/erts@14.2.5.11" + }, + { + "@id": "pkg:otp/erts@14.2.5.12" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + }, + { + "vulnerability": { + "name": "CVE-2024-0727" }, - "timestamp": "2025-08-28T16:31:55.606487306+02:00", + "timestamp": "2025-12-01T15:56:21.952830949+01:00", + "products": [ + { + "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + }, + { + "vulnerability": { + "name": "CVE-2023-6237" + }, + "timestamp": "2025-12-01T15:56:21.98188831+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -2665,12 +2444,18 @@ { "@id": "pkg:github/erlang/otp@OTP-26.1.2" }, + { + "@id": "pkg:otp/erl_interface@5.4" + }, { "@id": "pkg:github/erlang/otp@OTP-26.2" }, { "@id": "pkg:github/erlang/otp@OTP-26.2.1" }, + { + "@id": "pkg:otp/erl_interface@5.5" + }, { "@id": "pkg:github/erlang/otp@OTP-26.2.2" }, @@ -2711,76 +2496,151 @@ "@id": "pkg:github/erlang/otp@OTP-26.2.5.9" }, { - "@id": "pkg:otp/ssh@5.0" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" }, { - "@id": "pkg:otp/ssh@5.0.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.11" }, { - "@id": "pkg:otp/ssh@5.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" }, { - "@id": "pkg:otp/ssh@5.1.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" }, { - "@id": "pkg:otp/ssh@5.1.2" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" }, { - "@id": "pkg:otp/ssh@5.1.3" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" }, { - "@id": "pkg:otp/ssh@5.1.4" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.16" }, { - "@id": "pkg:otp/ssh@5.1.4.1" + "@id": "pkg:otp/erl_interface@5.5.1" }, { - "@id": "pkg:otp/ssh@5.1.4.2" + "@id": "pkg:otp/erts@14.0" }, { - "@id": "pkg:otp/ssh@5.1.4.3" + "@id": "pkg:otp/erts@14.0.1" }, { - "@id": "pkg:otp/ssh@5.1.4.4" + "@id": "pkg:otp/erts@14.0.2" }, { - "@id": "pkg:otp/ssh@5.1.4.5" + "@id": "pkg:otp/erts@14.1" }, { - "@id": "pkg:otp/ssh@5.1.4.6" + "@id": "pkg:otp/erts@14.1.1" + }, + { + "@id": "pkg:otp/erts@14.2" + }, + { + "@id": "pkg:otp/erts@14.2.1" + }, + { + "@id": "pkg:otp/erts@14.2.2" + }, + { + "@id": "pkg:otp/erts@14.2.3" + }, + { + "@id": "pkg:otp/erts@14.2.4" + }, + { + "@id": "pkg:otp/erts@14.2.5" + }, + { + "@id": "pkg:otp/erts@14.2.5.1" + }, + { + "@id": "pkg:otp/erts@14.2.5.2" + }, + { + "@id": "pkg:otp/erts@14.2.5.3" + }, + { + "@id": "pkg:otp/erts@14.2.5.4" + }, + { + "@id": "pkg:otp/erts@14.2.5.5" + }, + { + "@id": "pkg:otp/erts@14.2.5.6" + }, + { + "@id": "pkg:otp/erts@14.2.5.7" + }, + { + "@id": "pkg:otp/erts@14.2.5.8" + }, + { + "@id": "pkg:otp/erts@14.2.5.9" + }, + { + "@id": "pkg:otp/erts@14.2.5.10" + }, + { + "@id": "pkg:otp/erts@14.2.5.11" + }, + { + "@id": "pkg:otp/erts@14.2.5.12" } ], - "status": "affected", - "action_statement": "Workaround: set option `parallel_login` to false. Reduce `max_sessions` option.", - "action_statement_timestamp": "2025-08-28T16:31:55.606487306+02:00" + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { - "name": "CVE-2025-30211" + "name": "CVE-2023-6237" }, - "timestamp": "2025-08-28T16:31:55.624228684+02:00", + "timestamp": "2025-12-01T15:56:22.010358313+01:00", "products": [ { - "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" - }, - { - "@id": "pkg:otp/ssh@5.1.4.7" + "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" } ], - "status": "fixed" + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { - "name": "CVE-2024-53846" + "name": "CVE-2023-6129" }, - "timestamp": "2025-08-28T16:31:55.640907555+02:00", + "timestamp": "2025-12-01T15:56:22.040346618+01:00", "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-26.0" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.0.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.0.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.1.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.1.2" + }, + { + "@id": "pkg:otp/erl_interface@5.4" + }, { "@id": "pkg:github/erlang/otp@OTP-26.2" }, { "@id": "pkg:github/erlang/otp@OTP-26.2.1" }, + { + "@id": "pkg:otp/erl_interface@5.5" + }, { "@id": "pkg:github/erlang/otp@OTP-26.2.2" }, @@ -2809,60 +2669,308 @@ "@id": "pkg:github/erlang/otp@OTP-26.2.5.5" }, { - "@id": "pkg:otp/ssl@11.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.6" }, { - "@id": "pkg:otp/ssl@11.1.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.7" }, { - "@id": "pkg:otp/ssl@11.1.2" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.8" }, { - "@id": "pkg:otp/ssl@11.1.3" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.9" }, { - "@id": "pkg:otp/ssl@11.1.4" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" }, { - "@id": "pkg:otp/ssl@11.1.4.1" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.11" }, { - "@id": "pkg:otp/ssl@11.1.4.2" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" }, { - "@id": "pkg:otp/ssl@11.1.4.3" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" }, { - "@id": "pkg:otp/ssl@11.1.4.4" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" }, { - "@id": "pkg:otp/ssl@11.1.4.5" + "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.16" + }, + { + "@id": "pkg:otp/erl_interface@5.5.1" + }, + { + "@id": "pkg:otp/erts@14.0" + }, + { + "@id": "pkg:otp/erts@14.0.1" + }, + { + "@id": "pkg:otp/erts@14.0.2" + }, + { + "@id": "pkg:otp/erts@14.1" + }, + { + "@id": "pkg:otp/erts@14.1.1" + }, + { + "@id": "pkg:otp/erts@14.2" + }, + { + "@id": "pkg:otp/erts@14.2.1" + }, + { + "@id": "pkg:otp/erts@14.2.2" + }, + { + "@id": "pkg:otp/erts@14.2.3" + }, + { + "@id": "pkg:otp/erts@14.2.4" + }, + { + "@id": "pkg:otp/erts@14.2.5" + }, + { + "@id": "pkg:otp/erts@14.2.5.1" + }, + { + "@id": "pkg:otp/erts@14.2.5.2" + }, + { + "@id": "pkg:otp/erts@14.2.5.3" + }, + { + "@id": "pkg:otp/erts@14.2.5.4" + }, + { + "@id": "pkg:otp/erts@14.2.5.5" + }, + { + "@id": "pkg:otp/erts@14.2.5.6" + }, + { + "@id": "pkg:otp/erts@14.2.5.7" + }, + { + "@id": "pkg:otp/erts@14.2.5.8" + }, + { + "@id": "pkg:otp/erts@14.2.5.9" + }, + { + "@id": "pkg:otp/erts@14.2.5.10" + }, + { + "@id": "pkg:otp/erts@14.2.5.11" + }, + { + "@id": "pkg:otp/erts@14.2.5.12" } ], - "status": "affected", - "action_statement": "Update to ssl@11.1.4.6", - "action_statement_timestamp": "2025-08-28T16:31:55.640907555+02:00" + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { - "name": "CVE-2024-53846" + "name": "CVE-2023-6129" }, - "timestamp": "2025-08-28T16:31:55.660153121+02:00", + "timestamp": "2025-12-01T15:56:22.072541773+01:00", "products": [ + { + "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" + }, + { + "vulnerability": { + "name": "CVE-2023-45853" + }, + "timestamp": "2025-12-01T15:56:22.106196984+01:00", + "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-26.0" + }, + { + "@id": "pkg:otp/erts@14.0" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.0.1" + }, + { + "@id": "pkg:otp/erts@14.0.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.0.2" + }, + { + "@id": "pkg:otp/erts@14.0.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.1.1" + }, + { + "@id": "pkg:otp/erts@14.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.1.2" + }, + { + "@id": "pkg:otp/erts@14.1.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2" + }, + { + "@id": "pkg:otp/erts@14.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.1" + }, + { + "@id": "pkg:otp/erts@14.2.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.2" + }, + { + "@id": "pkg:otp/erts@14.2.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.3" + }, + { + "@id": "pkg:otp/erts@14.2.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.4" + }, + { + "@id": "pkg:otp/erts@14.2.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5" + }, + { + "@id": "pkg:otp/erts@14.2.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.1" + }, + { + "@id": "pkg:otp/erts@14.2.5.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.2" + }, + { + "@id": "pkg:otp/erts@14.2.5.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.3" + }, + { + "@id": "pkg:otp/erts@14.2.5.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.5" + }, + { + "@id": "pkg:otp/erts@14.2.5.4" + }, { "@id": "pkg:github/erlang/otp@OTP-26.2.5.6" }, { - "@id": "pkg:otp/ssl@11.1.4.6" + "@id": "pkg:otp/erts@14.2.5.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.7" + }, + { + "@id": "pkg:otp/erts@14.2.5.6" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.8" + }, + { + "@id": "pkg:otp/erts@14.2.5.7" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.9" + }, + { + "@id": "pkg:otp/erts@14.2.5.8" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.10" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.11" + }, + { + "@id": "pkg:otp/erts@14.2.5.9" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.12" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.13" + }, + { + "@id": "pkg:otp/erts@14.2.5.10" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.14" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" + }, + { + "@id": "pkg:otp/erts@14.2.5.11" + }, + { + "@id": "pkg:github/erlang/otp@OTP-26.2.5.16" + }, + { + "@id": "pkg:otp/erts@14.2.5.12" } ], - "status": "fixed" + "status": "not_affected", + "justification": "vulnerable_code_not_present" + }, + { + "vulnerability": { + "name": "CVE-2023-45853" + }, + "timestamp": "2025-12-01T15:56:22.137011001+01:00", + "products": [ + { + "@id": "pkg:github/madler/zlib@04f42ceca40f73e2978b50e93806c2a18c1281fc" + } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { "name": "CVE-2025-48038" }, - "timestamp": "2025-09-16T08:22:17.547011966Z", + "timestamp": "2025-12-01T15:56:22.166141925+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -2999,13 +3107,13 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.1.4.12", - "action_statement_timestamp": "2025-09-16T08:22:17.547011966Z" + "action_statement_timestamp": "2025-12-01T15:56:22.166141925+01:00" }, { "vulnerability": { "name": "CVE-2025-48038" }, - "timestamp": "2025-09-16T08:22:17.565861422Z", + "timestamp": "2025-12-01T15:56:22.198669581+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" @@ -3020,7 +3128,7 @@ "vulnerability": { "name": "CVE-2025-48039" }, - "timestamp": "2025-09-16T08:22:17.584641996Z", + "timestamp": "2025-12-01T15:56:22.230932658+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -3157,13 +3265,13 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.1.4.12", - "action_statement_timestamp": "2025-09-16T08:22:17.584641996Z" + "action_statement_timestamp": "2025-12-01T15:56:22.230932658+01:00" }, { "vulnerability": { "name": "CVE-2025-48039" }, - "timestamp": "2025-09-16T08:22:17.603878224Z", + "timestamp": "2025-12-01T15:56:22.260479714+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" @@ -3178,7 +3286,7 @@ "vulnerability": { "name": "CVE-2025-48040" }, - "timestamp": "2025-09-16T08:22:17.62403072Z", + "timestamp": "2025-12-01T15:56:22.29334238+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -3315,13 +3423,13 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.1.4.12", - "action_statement_timestamp": "2025-09-16T08:22:17.62403072Z" + "action_statement_timestamp": "2025-12-01T15:56:22.29334238+01:00" }, { "vulnerability": { "name": "CVE-2025-48040" }, - "timestamp": "2025-09-16T08:22:17.643000813Z", + "timestamp": "2025-12-01T15:56:22.323150485+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" @@ -3336,7 +3444,7 @@ "vulnerability": { "name": "CVE-2016-1000107" }, - "timestamp": "2025-09-16T08:22:17.66303789Z", + "timestamp": "2025-12-01T15:56:22.355018388+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -3437,13 +3545,13 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/inets@9.1.0.3", - "action_statement_timestamp": "2025-09-16T08:22:17.66303789Z" + "action_statement_timestamp": "2025-12-01T15:56:22.355018388+01:00" }, { "vulnerability": { "name": "CVE-2016-1000107" }, - "timestamp": "2025-09-16T08:22:17.682476147Z", + "timestamp": "2025-12-01T15:56:22.385367314+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" @@ -3458,7 +3566,7 @@ "vulnerability": { "name": "CVE-2025-48041" }, - "timestamp": "2025-09-16T08:22:17.702083402Z", + "timestamp": "2025-12-01T15:56:22.418589766+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.0" @@ -3595,13 +3703,13 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.1.4.12", - "action_statement_timestamp": "2025-09-16T08:22:17.702083402Z" + "action_statement_timestamp": "2025-12-01T15:56:22.418589766+01:00" }, { "vulnerability": { "name": "CVE-2025-48041" }, - "timestamp": "2025-09-16T08:22:17.72269681Z", + "timestamp": "2025-12-01T15:56:22.448588779+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-26.2.5.15" diff --git a/vex/otp-27.openvex.json b/vex/otp-27.openvex.json index c7bdf9818095..71d8f261a46a 100644 --- a/vex/otp-27.openvex.json +++ b/vex/otp-27.openvex.json @@ -2,137 +2,163 @@ "@context": "https://openvex.dev/ns/v0.2.0", "@id": "https://erlang.org/download/vex/otp-27.openvex.json", "author": "vexctl", - "timestamp": "2025-08-29T10:32:50.272313+02:00", - "last_updated": "2025-09-16T08:22:15.513622151Z", + "timestamp": "2025-12-01T15:56:28.947145+01:00", + "last_updated": "2025-12-01T15:58:05.887622447+01:00", "version": 47, "statements": [ { "vulnerability": { - "name": "CVE-2023-45853" + "name": "CVE-2024-53846" }, - "timestamp": "2025-08-29T10:33:30.800535795+02:00", + "timestamp": "2025-12-01T15:58:04.676135893+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" }, - { - "@id": "pkg:otp/erts@15.0" - }, { "@id": "pkg:github/erlang/otp@OTP-27.0.1" }, { - "@id": "pkg:otp/erts@15.0.1" + "@id": "pkg:github/erlang/otp@OTP-27.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.1" + "@id": "pkg:github/erlang/otp@OTP-27.1.1" }, { - "@id": "pkg:otp/erts@15.1" + "@id": "pkg:github/erlang/otp@OTP-27.1.2" }, { - "@id": "pkg:github/erlang/otp@OTP-27.1.1" + "@id": "pkg:otp/ssl@11.2" }, { - "@id": "pkg:otp/erts@15.1.1" + "@id": "pkg:otp/ssl@11.2.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.1.2" + "@id": "pkg:otp/ssl@11.2.2" }, { - "@id": "pkg:otp/erts@15.1.2" + "@id": "pkg:otp/ssl@11.2.3" }, + { + "@id": "pkg:otp/ssl@11.2.4" + } + ], + "status": "affected", + "action_statement": "Update to ssl@11.2.5", + "action_statement_timestamp": "2025-12-01T15:58:04.676135893+01:00" + }, + { + "vulnerability": { + "name": "CVE-2024-53846" + }, + "timestamp": "2025-12-01T15:58:04.701737024+01:00", + "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.1.3" }, { - "@id": "pkg:otp/erts@15.1.3" - }, + "@id": "pkg:otp/ssl@11.2.5" + } + ], + "status": "fixed" + }, + { + "vulnerability": { + "name": "CVE-2025-30211" + }, + "timestamp": "2025-12-01T15:58:04.727733703+01:00", + "products": [ { - "@id": "pkg:github/erlang/otp@OTP-27.2" + "@id": "pkg:github/erlang/otp@OTP-27.0" }, { - "@id": "pkg:otp/erts@15.2" + "@id": "pkg:github/erlang/otp@OTP-27.0.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2.1" + "@id": "pkg:github/erlang/otp@OTP-27.1" }, { - "@id": "pkg:otp/erts@15.2.1" + "@id": "pkg:github/erlang/otp@OTP-27.1.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2.2" + "@id": "pkg:github/erlang/otp@OTP-27.1.2" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2.3" + "@id": "pkg:github/erlang/otp@OTP-27.1.3" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2.4" + "@id": "pkg:github/erlang/otp@OTP-27.2" }, { - "@id": "pkg:otp/erts@15.2.2" + "@id": "pkg:github/erlang/otp@OTP-27.2.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3" + "@id": "pkg:github/erlang/otp@OTP-27.2.2" }, { - "@id": "pkg:otp/erts@15.2.3" + "@id": "pkg:github/erlang/otp@OTP-27.2.3" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.1" + "@id": "pkg:github/erlang/otp@OTP-27.2.4" }, { - "@id": "pkg:otp/erts@15.2.4" + "@id": "pkg:github/erlang/otp@OTP-27.3" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.2" + "@id": "pkg:otp/ssh@5.2" }, { - "@id": "pkg:otp/erts@15.2.5" + "@id": "pkg:otp/ssh@5.2.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.3" + "@id": "pkg:otp/ssh@5.2.2" }, { - "@id": "pkg:otp/erts@15.2.6" + "@id": "pkg:otp/ssh@5.2.3" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.4" + "@id": "pkg:otp/ssh@5.2.4" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.4.1" + "@id": "pkg:otp/ssh@5.2.5" }, { - "@id": "pkg:otp/erts@15.2.7" + "@id": "pkg:otp/ssh@5.2.6" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" + "@id": "pkg:otp/ssh@5.2.7" }, { - "@id": "pkg:otp/erts@15.2.7.1" + "@id": "pkg:otp/ssh@5.2.8" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "affected", + "action_statement": "Workaround: set option `parallel_login` to false. Reduce `max_sessions` option.", + "action_statement_timestamp": "2025-12-01T15:58:04.727733703+01:00" }, { "vulnerability": { - "name": "CVE-2023-45853" + "name": "CVE-2025-30211" }, - "timestamp": "2025-08-29T10:33:30.824022818+02:00", + "timestamp": "2025-12-01T15:58:04.754191758+01:00", "products": [ { - "@id": "pkg:github/madler/zlib@04f42ceca40f73e2978b50e93806c2a18c1281fc" + "@id": "pkg:github/erlang/otp@OTP-27.3.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.1" + }, + { + "@id": "pkg:otp/ssh@5.2.9" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "fixed" }, { "vulnerability": { - "name": "CVE-2023-6129" + "name": "CVE-2025-4748" }, - "timestamp": "2025-08-29T10:33:30.841980306+02:00", + "timestamp": "2025-12-01T15:58:04.781290272+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -183,81 +209,54 @@ "@id": "pkg:github/erlang/otp@OTP-27.3.4" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.4.1" - }, - { - "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" - }, - { - "@id": "pkg:otp/erl_interface@5.5.2" - }, - { - "@id": "pkg:otp/erts@15.0" - }, - { - "@id": "pkg:otp/erts@15.0.1" - }, - { - "@id": "pkg:otp/erts@15.1" - }, - { - "@id": "pkg:otp/erts@15.1.1" - }, - { - "@id": "pkg:otp/erts@15.1.2" - }, - { - "@id": "pkg:otp/erts@15.1.3" - }, - { - "@id": "pkg:otp/erts@15.2" - }, - { - "@id": "pkg:otp/erts@15.2.1" + "@id": "pkg:otp/stdlib@6.0" }, { - "@id": "pkg:otp/erts@15.2.2" + "@id": "pkg:otp/stdlib@6.0.1" }, { - "@id": "pkg:otp/erts@15.2.3" + "@id": "pkg:otp/stdlib@6.1" }, { - "@id": "pkg:otp/erts@15.2.4" + "@id": "pkg:otp/stdlib@6.1.1" }, { - "@id": "pkg:otp/erts@15.2.5" + "@id": "pkg:otp/stdlib@6.1.2" }, { - "@id": "pkg:otp/erts@15.2.6" + "@id": "pkg:otp/stdlib@6.2" }, { - "@id": "pkg:otp/erts@15.2.7" + "@id": "pkg:otp/stdlib@6.2.1" }, { - "@id": "pkg:otp/erts@15.2.7.1" + "@id": "pkg:otp/stdlib@6.2.2" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "affected", + "action_statement": "Mitigation: Update to pkg:otp/stdlib@6.2.2.1", + "action_statement_timestamp": "2025-12-01T15:58:04.781290272+01:00" }, { "vulnerability": { - "name": "CVE-2023-6129" + "name": "CVE-2025-4748" }, - "timestamp": "2025-08-29T10:33:30.859430213+02:00", + "timestamp": "2025-12-01T15:58:04.807220844+01:00", "products": [ { - "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" + "@id": "pkg:github/erlang/otp@OTP-27.3.4.1" + }, + { + "@id": "pkg:otp/stdlib@6.2.2.1" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "fixed" }, { "vulnerability": { - "name": "CVE-2023-6237" + "name": "CVE-2025-46712" }, - "timestamp": "2025-08-29T10:33:30.876337978+02:00", + "timestamp": "2025-12-01T15:58:04.831658376+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -305,84 +304,140 @@ "@id": "pkg:github/erlang/otp@OTP-27.3.3" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.4" + "@id": "pkg:otp/ssh@5.2" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.4.1" + "@id": "pkg:otp/ssh@5.2.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" + "@id": "pkg:otp/ssh@5.2.2" }, { - "@id": "pkg:otp/erl_interface@5.5.2" + "@id": "pkg:otp/ssh@5.2.3" }, { - "@id": "pkg:otp/erts@15.0" + "@id": "pkg:otp/ssh@5.2.4" }, { - "@id": "pkg:otp/erts@15.0.1" + "@id": "pkg:otp/ssh@5.2.5" }, { - "@id": "pkg:otp/erts@15.1" + "@id": "pkg:otp/ssh@5.2.6" }, { - "@id": "pkg:otp/erts@15.1.1" + "@id": "pkg:otp/ssh@5.2.7" }, { - "@id": "pkg:otp/erts@15.1.2" + "@id": "pkg:otp/ssh@5.2.8" }, { - "@id": "pkg:otp/erts@15.1.3" + "@id": "pkg:otp/ssh@5.2.9" }, { - "@id": "pkg:otp/erts@15.2" + "@id": "pkg:otp/ssh@5.2.10" + } + ], + "status": "affected", + "action_statement": "Update to ssh@5.2.11", + "action_statement_timestamp": "2025-12-01T15:58:04.831658376+01:00" + }, + { + "vulnerability": { + "name": "CVE-2025-46712" + }, + "timestamp": "2025-12-01T15:58:04.856333805+01:00", + "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4" }, { - "@id": "pkg:otp/erts@15.2.1" + "@id": "pkg:otp/ssh@5.2.11" + } + ], + "status": "fixed" + }, + { + "vulnerability": { + "name": "CVE-2025-26618" + }, + "timestamp": "2025-12-01T15:58:04.882662124+01:00", + "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-27.0" }, { - "@id": "pkg:otp/erts@15.2.2" + "@id": "pkg:github/erlang/otp@OTP-27.0.1" }, { - "@id": "pkg:otp/erts@15.2.3" + "@id": "pkg:github/erlang/otp@OTP-27.1" }, { - "@id": "pkg:otp/erts@15.2.4" + "@id": "pkg:github/erlang/otp@OTP-27.1.1" }, { - "@id": "pkg:otp/erts@15.2.5" + "@id": "pkg:github/erlang/otp@OTP-27.1.2" }, { - "@id": "pkg:otp/erts@15.2.6" + "@id": "pkg:github/erlang/otp@OTP-27.1.3" }, { - "@id": "pkg:otp/erts@15.2.7" + "@id": "pkg:github/erlang/otp@OTP-27.2" }, { - "@id": "pkg:otp/erts@15.2.7.1" + "@id": "pkg:github/erlang/otp@OTP-27.2.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.2.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.2.3" + }, + { + "@id": "pkg:otp/ssh@5.2" + }, + { + "@id": "pkg:otp/ssh@5.2.1" + }, + { + "@id": "pkg:otp/ssh@5.2.2" + }, + { + "@id": "pkg:otp/ssh@5.2.3" + }, + { + "@id": "pkg:otp/ssh@5.2.4" + }, + { + "@id": "pkg:otp/ssh@5.2.5" + }, + { + "@id": "pkg:otp/ssh@5.2.6" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "affected", + "action_statement": "Update to the next version", + "action_statement_timestamp": "2025-12-01T15:58:04.882662124+01:00" }, { "vulnerability": { - "name": "CVE-2023-6237" + "name": "CVE-2025-26618" }, - "timestamp": "2025-08-29T10:33:30.892722179+02:00", + "timestamp": "2025-12-01T15:58:04.907576879+01:00", "products": [ { - "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" + "@id": "pkg:github/erlang/otp@OTP-27.2.4" + }, + { + "@id": "pkg:otp/ssh@5.2.7" } ], - "status": "not_affected", - "justification": "vulnerable_code_not_present" + "status": "fixed" }, { "vulnerability": { - "name": "CVE-2024-0727" + "name": "CVE-2025-4575" }, - "timestamp": "2025-08-29T10:33:30.910216444+02:00", + "timestamp": "2025-12-01T15:58:04.932616918+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -438,6 +493,18 @@ { "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.6" + }, { "@id": "pkg:otp/erl_interface@5.5.2" }, @@ -485,6 +552,15 @@ }, { "@id": "pkg:otp/erts@15.2.7.1" + }, + { + "@id": "pkg:otp/erts@15.2.7.2" + }, + { + "@id": "pkg:otp/erts@15.2.7.3" + }, + { + "@id": "pkg:otp/erts@15.2.7.4" } ], "status": "not_affected", @@ -492,9 +568,9 @@ }, { "vulnerability": { - "name": "CVE-2024-0727" + "name": "CVE-2025-4575" }, - "timestamp": "2025-08-29T10:33:30.926647348+02:00", + "timestamp": "2025-12-01T15:58:04.957167441+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -505,9 +581,9 @@ }, { "vulnerability": { - "name": "CVE-2024-13176" + "name": "CVE-2024-9143" }, - "timestamp": "2025-08-29T10:33:30.944083221+02:00", + "timestamp": "2025-12-01T15:58:04.983234466+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -563,6 +639,18 @@ { "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.6" + }, { "@id": "pkg:otp/erl_interface@5.5.2" }, @@ -610,6 +698,15 @@ }, { "@id": "pkg:otp/erts@15.2.7.1" + }, + { + "@id": "pkg:otp/erts@15.2.7.2" + }, + { + "@id": "pkg:otp/erts@15.2.7.3" + }, + { + "@id": "pkg:otp/erts@15.2.7.4" } ], "status": "not_affected", @@ -617,9 +714,9 @@ }, { "vulnerability": { - "name": "CVE-2024-13176" + "name": "CVE-2024-9143" }, - "timestamp": "2025-08-29T10:33:30.960966308+02:00", + "timestamp": "2025-12-01T15:58:05.009435098+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -630,9 +727,9 @@ }, { "vulnerability": { - "name": "CVE-2024-2511" + "name": "CVE-2024-6119" }, - "timestamp": "2025-08-29T10:33:30.976755562+02:00", + "timestamp": "2025-12-01T15:58:05.036687328+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -688,6 +785,18 @@ { "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.6" + }, { "@id": "pkg:otp/erl_interface@5.5.2" }, @@ -735,6 +844,15 @@ }, { "@id": "pkg:otp/erts@15.2.7.1" + }, + { + "@id": "pkg:otp/erts@15.2.7.2" + }, + { + "@id": "pkg:otp/erts@15.2.7.3" + }, + { + "@id": "pkg:otp/erts@15.2.7.4" } ], "status": "not_affected", @@ -742,9 +860,9 @@ }, { "vulnerability": { - "name": "CVE-2024-2511" + "name": "CVE-2024-6119" }, - "timestamp": "2025-08-29T10:33:30.994189502+02:00", + "timestamp": "2025-12-01T15:58:05.064139567+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -755,9 +873,9 @@ }, { "vulnerability": { - "name": "CVE-2024-4603" + "name": "CVE-2024-5535" }, - "timestamp": "2025-08-29T10:33:31.009866131+02:00", + "timestamp": "2025-12-01T15:58:05.091224128+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -813,6 +931,18 @@ { "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.6" + }, { "@id": "pkg:otp/erl_interface@5.5.2" }, @@ -860,6 +990,15 @@ }, { "@id": "pkg:otp/erts@15.2.7.1" + }, + { + "@id": "pkg:otp/erts@15.2.7.2" + }, + { + "@id": "pkg:otp/erts@15.2.7.3" + }, + { + "@id": "pkg:otp/erts@15.2.7.4" } ], "status": "not_affected", @@ -867,9 +1006,9 @@ }, { "vulnerability": { - "name": "CVE-2024-4603" + "name": "CVE-2024-5535" }, - "timestamp": "2025-08-29T10:33:31.026805289+02:00", + "timestamp": "2025-12-01T15:58:05.116158511+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -882,7 +1021,7 @@ "vulnerability": { "name": "CVE-2024-4741" }, - "timestamp": "2025-08-29T10:33:31.041528968+02:00", + "timestamp": "2025-12-01T15:58:05.14290614+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -938,6 +1077,18 @@ { "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.6" + }, { "@id": "pkg:otp/erl_interface@5.5.2" }, @@ -985,6 +1136,15 @@ }, { "@id": "pkg:otp/erts@15.2.7.1" + }, + { + "@id": "pkg:otp/erts@15.2.7.2" + }, + { + "@id": "pkg:otp/erts@15.2.7.3" + }, + { + "@id": "pkg:otp/erts@15.2.7.4" } ], "status": "not_affected", @@ -994,7 +1154,7 @@ "vulnerability": { "name": "CVE-2024-4741" }, - "timestamp": "2025-08-29T10:33:31.058967636+02:00", + "timestamp": "2025-12-01T15:58:05.169815167+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -1005,9 +1165,9 @@ }, { "vulnerability": { - "name": "CVE-2024-5535" + "name": "CVE-2024-4603" }, - "timestamp": "2025-08-29T10:33:31.075108293+02:00", + "timestamp": "2025-12-01T15:58:05.196616098+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -1063,6 +1223,18 @@ { "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.6" + }, { "@id": "pkg:otp/erl_interface@5.5.2" }, @@ -1110,6 +1282,15 @@ }, { "@id": "pkg:otp/erts@15.2.7.1" + }, + { + "@id": "pkg:otp/erts@15.2.7.2" + }, + { + "@id": "pkg:otp/erts@15.2.7.3" + }, + { + "@id": "pkg:otp/erts@15.2.7.4" } ], "status": "not_affected", @@ -1117,9 +1298,9 @@ }, { "vulnerability": { - "name": "CVE-2024-5535" + "name": "CVE-2024-4603" }, - "timestamp": "2025-08-29T10:33:31.093478722+02:00", + "timestamp": "2025-12-01T15:58:05.223672612+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -1130,9 +1311,9 @@ }, { "vulnerability": { - "name": "CVE-2024-6119" + "name": "CVE-2024-2511" }, - "timestamp": "2025-08-29T10:33:31.113900628+02:00", + "timestamp": "2025-12-01T15:58:05.249808322+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -1188,6 +1369,18 @@ { "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.6" + }, { "@id": "pkg:otp/erl_interface@5.5.2" }, @@ -1235,6 +1428,15 @@ }, { "@id": "pkg:otp/erts@15.2.7.1" + }, + { + "@id": "pkg:otp/erts@15.2.7.2" + }, + { + "@id": "pkg:otp/erts@15.2.7.3" + }, + { + "@id": "pkg:otp/erts@15.2.7.4" } ], "status": "not_affected", @@ -1242,9 +1444,9 @@ }, { "vulnerability": { - "name": "CVE-2024-6119" + "name": "CVE-2024-2511" }, - "timestamp": "2025-08-29T10:33:31.13329083+02:00", + "timestamp": "2025-12-01T15:58:05.275428485+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -1255,9 +1457,9 @@ }, { "vulnerability": { - "name": "CVE-2024-9143" + "name": "CVE-2024-13176" }, - "timestamp": "2025-08-29T10:33:31.151763299+02:00", + "timestamp": "2025-12-01T15:58:05.302915294+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -1313,6 +1515,18 @@ { "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.6" + }, { "@id": "pkg:otp/erl_interface@5.5.2" }, @@ -1360,6 +1574,15 @@ }, { "@id": "pkg:otp/erts@15.2.7.1" + }, + { + "@id": "pkg:otp/erts@15.2.7.2" + }, + { + "@id": "pkg:otp/erts@15.2.7.3" + }, + { + "@id": "pkg:otp/erts@15.2.7.4" } ], "status": "not_affected", @@ -1367,9 +1590,9 @@ }, { "vulnerability": { - "name": "CVE-2024-9143" + "name": "CVE-2024-13176" }, - "timestamp": "2025-08-29T10:33:31.167136773+02:00", + "timestamp": "2025-12-01T15:58:05.329480876+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -1380,9 +1603,9 @@ }, { "vulnerability": { - "name": "CVE-2025-4575" + "name": "CVE-2024-0727" }, - "timestamp": "2025-08-29T10:33:31.184288796+02:00", + "timestamp": "2025-12-01T15:58:05.356446094+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -1438,6 +1661,18 @@ { "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.6" + }, { "@id": "pkg:otp/erl_interface@5.5.2" }, @@ -1485,6 +1720,15 @@ }, { "@id": "pkg:otp/erts@15.2.7.1" + }, + { + "@id": "pkg:otp/erts@15.2.7.2" + }, + { + "@id": "pkg:otp/erts@15.2.7.3" + }, + { + "@id": "pkg:otp/erts@15.2.7.4" } ], "status": "not_affected", @@ -1492,9 +1736,9 @@ }, { "vulnerability": { - "name": "CVE-2025-4575" + "name": "CVE-2024-0727" }, - "timestamp": "2025-08-29T10:33:31.199776515+02:00", + "timestamp": "2025-12-01T15:58:05.382511802+01:00", "products": [ { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" @@ -1505,9 +1749,9 @@ }, { "vulnerability": { - "name": "CVE-2025-26618" + "name": "CVE-2023-6237" }, - "timestamp": "2025-08-29T10:33:31.217617784+02:00", + "timestamp": "2025-12-01T15:58:05.412368374+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -1525,66 +1769,135 @@ "@id": "pkg:github/erlang/otp@OTP-27.1.2" }, { - "@id": "pkg:github/erlang/otp@OTP-27.1.3" + "@id": "pkg:github/erlang/otp@OTP-27.1.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.2.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.2.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.2.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.2.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.1" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.5" + }, + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.6" + }, + { + "@id": "pkg:otp/erl_interface@5.5.2" + }, + { + "@id": "pkg:otp/erts@15.0" + }, + { + "@id": "pkg:otp/erts@15.0.1" + }, + { + "@id": "pkg:otp/erts@15.1" + }, + { + "@id": "pkg:otp/erts@15.1.1" + }, + { + "@id": "pkg:otp/erts@15.1.2" + }, + { + "@id": "pkg:otp/erts@15.1.3" + }, + { + "@id": "pkg:otp/erts@15.2" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2" + "@id": "pkg:otp/erts@15.2.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2.1" + "@id": "pkg:otp/erts@15.2.2" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2.2" + "@id": "pkg:otp/erts@15.2.3" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2.3" + "@id": "pkg:otp/erts@15.2.4" }, { - "@id": "pkg:otp/ssh@5.2" + "@id": "pkg:otp/erts@15.2.5" }, { - "@id": "pkg:otp/ssh@5.2.1" + "@id": "pkg:otp/erts@15.2.6" }, { - "@id": "pkg:otp/ssh@5.2.2" + "@id": "pkg:otp/erts@15.2.7" }, { - "@id": "pkg:otp/ssh@5.2.3" + "@id": "pkg:otp/erts@15.2.7.1" }, { - "@id": "pkg:otp/ssh@5.2.4" + "@id": "pkg:otp/erts@15.2.7.2" }, { - "@id": "pkg:otp/ssh@5.2.5" + "@id": "pkg:otp/erts@15.2.7.3" }, { - "@id": "pkg:otp/ssh@5.2.6" + "@id": "pkg:otp/erts@15.2.7.4" } ], - "status": "affected", - "action_statement": "Update to the next version", - "action_statement_timestamp": "2025-08-29T10:33:31.217617784+02:00" + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { - "name": "CVE-2025-26618" + "name": "CVE-2023-6237" }, - "timestamp": "2025-08-29T10:33:31.233913609+02:00", + "timestamp": "2025-12-01T15:58:05.439685196+01:00", "products": [ { - "@id": "pkg:github/erlang/otp@OTP-27.2.4" - }, - { - "@id": "pkg:otp/ssh@5.2.7" + "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" } ], - "status": "fixed" + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { - "name": "CVE-2025-46712" + "name": "CVE-2023-6129" }, - "timestamp": "2025-08-29T10:33:31.251737653+02:00", + "timestamp": "2025-12-01T15:58:05.469612304+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -1631,187 +1944,155 @@ { "@id": "pkg:github/erlang/otp@OTP-27.3.3" }, - { - "@id": "pkg:otp/ssh@5.2" - }, - { - "@id": "pkg:otp/ssh@5.2.1" - }, - { - "@id": "pkg:otp/ssh@5.2.2" - }, - { - "@id": "pkg:otp/ssh@5.2.3" - }, - { - "@id": "pkg:otp/ssh@5.2.4" - }, - { - "@id": "pkg:otp/ssh@5.2.5" - }, - { - "@id": "pkg:otp/ssh@5.2.6" - }, - { - "@id": "pkg:otp/ssh@5.2.7" - }, - { - "@id": "pkg:otp/ssh@5.2.8" - }, - { - "@id": "pkg:otp/ssh@5.2.9" - }, - { - "@id": "pkg:otp/ssh@5.2.10" - } - ], - "status": "affected", - "action_statement": "Update to ssh@5.2.11", - "action_statement_timestamp": "2025-08-29T10:33:31.251737653+02:00" - }, - { - "vulnerability": { - "name": "CVE-2025-46712" - }, - "timestamp": "2025-08-29T10:33:31.269168306+02:00", - "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.3.4" }, { - "@id": "pkg:otp/ssh@5.2.11" - } - ], - "status": "fixed" - }, - { - "vulnerability": { - "name": "CVE-2025-4748" - }, - "timestamp": "2025-08-29T10:33:31.284483035+02:00", - "products": [ + "@id": "pkg:github/erlang/otp@OTP-27.3.4.1" + }, { - "@id": "pkg:github/erlang/otp@OTP-27.0" + "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" }, { - "@id": "pkg:github/erlang/otp@OTP-27.0.1" + "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" }, { - "@id": "pkg:github/erlang/otp@OTP-27.1" + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" }, { - "@id": "pkg:github/erlang/otp@OTP-27.1.1" + "@id": "pkg:github/erlang/otp@OTP-27.3.4.5" }, { - "@id": "pkg:github/erlang/otp@OTP-27.1.2" + "@id": "pkg:github/erlang/otp@OTP-27.3.4.6" }, { - "@id": "pkg:github/erlang/otp@OTP-27.1.3" + "@id": "pkg:otp/erl_interface@5.5.2" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2" + "@id": "pkg:otp/erts@15.0" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2.1" + "@id": "pkg:otp/erts@15.0.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2.2" + "@id": "pkg:otp/erts@15.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2.3" + "@id": "pkg:otp/erts@15.1.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.2.4" + "@id": "pkg:otp/erts@15.1.2" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3" + "@id": "pkg:otp/erts@15.1.3" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.1" + "@id": "pkg:otp/erts@15.2" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.2" + "@id": "pkg:otp/erts@15.2.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.3" + "@id": "pkg:otp/erts@15.2.2" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.4" + "@id": "pkg:otp/erts@15.2.3" }, { - "@id": "pkg:otp/stdlib@6.0" + "@id": "pkg:otp/erts@15.2.4" }, { - "@id": "pkg:otp/stdlib@6.0.1" + "@id": "pkg:otp/erts@15.2.5" }, { - "@id": "pkg:otp/stdlib@6.1" + "@id": "pkg:otp/erts@15.2.6" }, { - "@id": "pkg:otp/stdlib@6.1.1" + "@id": "pkg:otp/erts@15.2.7" }, { - "@id": "pkg:otp/stdlib@6.1.2" + "@id": "pkg:otp/erts@15.2.7.1" }, { - "@id": "pkg:otp/stdlib@6.2" + "@id": "pkg:otp/erts@15.2.7.2" }, { - "@id": "pkg:otp/stdlib@6.2.1" + "@id": "pkg:otp/erts@15.2.7.3" }, { - "@id": "pkg:otp/stdlib@6.2.2" + "@id": "pkg:otp/erts@15.2.7.4" } ], - "status": "affected", - "action_statement": "Mitigation: Update to pkg:otp/stdlib@6.2.2.1", - "action_statement_timestamp": "2025-08-29T10:33:31.284483035+02:00" + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { - "name": "CVE-2025-4748" + "name": "CVE-2023-6129" }, - "timestamp": "2025-08-29T10:33:31.301514602+02:00", + "timestamp": "2025-12-01T15:58:05.496467259+01:00", "products": [ { - "@id": "pkg:github/erlang/otp@OTP-27.3.4.1" - }, - { - "@id": "pkg:otp/stdlib@6.2.2.1" + "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" } ], - "status": "fixed" + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { - "name": "CVE-2025-30211" + "name": "CVE-2023-45853" }, - "timestamp": "2025-08-29T10:33:31.317829267+02:00", + "timestamp": "2025-12-01T15:58:05.524449166+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" }, + { + "@id": "pkg:otp/erts@15.0" + }, { "@id": "pkg:github/erlang/otp@OTP-27.0.1" }, + { + "@id": "pkg:otp/erts@15.0.1" + }, { "@id": "pkg:github/erlang/otp@OTP-27.1" }, + { + "@id": "pkg:otp/erts@15.1" + }, { "@id": "pkg:github/erlang/otp@OTP-27.1.1" }, + { + "@id": "pkg:otp/erts@15.1.1" + }, { "@id": "pkg:github/erlang/otp@OTP-27.1.2" }, + { + "@id": "pkg:otp/erts@15.1.2" + }, { "@id": "pkg:github/erlang/otp@OTP-27.1.3" }, + { + "@id": "pkg:otp/erts@15.1.3" + }, { "@id": "pkg:github/erlang/otp@OTP-27.2" }, + { + "@id": "pkg:otp/erts@15.2" + }, { "@id": "pkg:github/erlang/otp@OTP-27.2.1" }, + { + "@id": "pkg:otp/erts@15.2.1" + }, { "@id": "pkg:github/erlang/otp@OTP-27.2.2" }, @@ -1822,119 +2103,90 @@ "@id": "pkg:github/erlang/otp@OTP-27.2.4" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3" + "@id": "pkg:otp/erts@15.2.2" }, { - "@id": "pkg:otp/ssh@5.2" + "@id": "pkg:github/erlang/otp@OTP-27.3" }, { - "@id": "pkg:otp/ssh@5.2.1" + "@id": "pkg:otp/erts@15.2.3" }, { - "@id": "pkg:otp/ssh@5.2.2" + "@id": "pkg:github/erlang/otp@OTP-27.3.1" }, { - "@id": "pkg:otp/ssh@5.2.3" + "@id": "pkg:otp/erts@15.2.4" }, { - "@id": "pkg:otp/ssh@5.2.4" + "@id": "pkg:github/erlang/otp@OTP-27.3.2" }, { - "@id": "pkg:otp/ssh@5.2.5" + "@id": "pkg:otp/erts@15.2.5" }, { - "@id": "pkg:otp/ssh@5.2.6" + "@id": "pkg:github/erlang/otp@OTP-27.3.3" }, { - "@id": "pkg:otp/ssh@5.2.7" + "@id": "pkg:otp/erts@15.2.6" }, { - "@id": "pkg:otp/ssh@5.2.8" - } - ], - "status": "affected", - "action_statement": "Workaround: set option `parallel_login` to false. Reduce `max_sessions` option.", - "action_statement_timestamp": "2025-08-29T10:33:31.317829267+02:00" - }, - { - "vulnerability": { - "name": "CVE-2025-30211" - }, - "timestamp": "2025-08-29T10:33:31.334865723+02:00", - "products": [ - { - "@id": "pkg:github/erlang/otp@OTP-27.3.2" + "@id": "pkg:github/erlang/otp@OTP-27.3.4" }, { - "@id": "pkg:github/erlang/otp@OTP-27.3.1" + "@id": "pkg:github/erlang/otp@OTP-27.3.4.1" }, { - "@id": "pkg:otp/ssh@5.2.9" - } - ], - "status": "fixed" - }, - { - "vulnerability": { - "name": "CVE-2024-53846" - }, - "timestamp": "2025-08-29T10:33:31.35189528+02:00", - "products": [ - { - "@id": "pkg:github/erlang/otp@OTP-27.0" + "@id": "pkg:otp/erts@15.2.7" }, { - "@id": "pkg:github/erlang/otp@OTP-27.0.1" + "@id": "pkg:github/erlang/otp@OTP-27.3.4.2" }, { - "@id": "pkg:github/erlang/otp@OTP-27.1" + "@id": "pkg:otp/erts@15.2.7.1" }, { - "@id": "pkg:github/erlang/otp@OTP-27.1.1" + "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" }, { - "@id": "pkg:github/erlang/otp@OTP-27.1.2" + "@id": "pkg:otp/erts@15.2.7.2" }, { - "@id": "pkg:otp/ssl@11.2" + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" }, { - "@id": "pkg:otp/ssl@11.2.1" + "@id": "pkg:github/erlang/otp@OTP-27.3.4.5" }, { - "@id": "pkg:otp/ssl@11.2.2" + "@id": "pkg:otp/erts@15.2.7.3" }, { - "@id": "pkg:otp/ssl@11.2.3" + "@id": "pkg:github/erlang/otp@OTP-27.3.4.6" }, { - "@id": "pkg:otp/ssl@11.2.4" + "@id": "pkg:otp/erts@15.2.7.4" } ], - "status": "affected", - "action_statement": "Update to ssl@11.2.5", - "action_statement_timestamp": "2025-08-29T10:33:31.35189528+02:00" + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { - "name": "CVE-2024-53846" + "name": "CVE-2023-45853" }, - "timestamp": "2025-08-29T10:33:31.369169097+02:00", + "timestamp": "2025-12-01T15:58:05.551921819+01:00", "products": [ { - "@id": "pkg:github/erlang/otp@OTP-27.1.3" - }, - { - "@id": "pkg:otp/ssl@11.2.5" + "@id": "pkg:github/madler/zlib@04f42ceca40f73e2978b50e93806c2a18c1281fc" } ], - "status": "fixed" + "status": "not_affected", + "justification": "vulnerable_code_not_present" }, { "vulnerability": { "name": "CVE-2025-48038" }, - "timestamp": "2025-09-16T08:22:15.308762291Z", + "timestamp": "2025-12-01T15:58:05.580498585+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -2035,14 +2287,17 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.2.11.3", - "action_statement_timestamp": "2025-09-16T08:22:15.308762291Z" + "action_statement_timestamp": "2025-12-01T15:58:05.580498585+01:00" }, { "vulnerability": { "name": "CVE-2025-48038" }, - "timestamp": "2025-09-16T08:22:15.327873626Z", + "timestamp": "2025-12-01T15:58:05.608470962+01:00", "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, { "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" }, @@ -2056,7 +2311,7 @@ "vulnerability": { "name": "CVE-2025-48039" }, - "timestamp": "2025-09-16T08:22:15.345957868Z", + "timestamp": "2025-12-01T15:58:05.636601008+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -2157,14 +2412,17 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.2.11.3", - "action_statement_timestamp": "2025-09-16T08:22:15.345957868Z" + "action_statement_timestamp": "2025-12-01T15:58:05.636601008+01:00" }, { "vulnerability": { "name": "CVE-2025-48039" }, - "timestamp": "2025-09-16T08:22:15.365152629Z", + "timestamp": "2025-12-01T15:58:05.664196691+01:00", "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, { "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" }, @@ -2178,7 +2436,7 @@ "vulnerability": { "name": "CVE-2025-48040" }, - "timestamp": "2025-09-16T08:22:15.383850246Z", + "timestamp": "2025-12-01T15:58:05.691304202+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -2279,14 +2537,17 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.2.11.3", - "action_statement_timestamp": "2025-09-16T08:22:15.383850246Z" + "action_statement_timestamp": "2025-12-01T15:58:05.691304202+01:00" }, { "vulnerability": { "name": "CVE-2025-48040" }, - "timestamp": "2025-09-16T08:22:15.401599789Z", + "timestamp": "2025-12-01T15:58:05.718530378+01:00", "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, { "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" }, @@ -2300,7 +2561,7 @@ "vulnerability": { "name": "CVE-2016-1000107" }, - "timestamp": "2025-09-16T08:22:15.421198266Z", + "timestamp": "2025-12-01T15:58:05.746801093+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -2371,14 +2632,17 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/inets@9.3.2.1", - "action_statement_timestamp": "2025-09-16T08:22:15.421198266Z" + "action_statement_timestamp": "2025-12-01T15:58:05.746801093+01:00" }, { "vulnerability": { "name": "CVE-2016-1000107" }, - "timestamp": "2025-09-16T08:22:15.43955064Z", + "timestamp": "2025-12-01T15:58:05.774679617+01:00", "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, { "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" }, @@ -2392,7 +2656,7 @@ "vulnerability": { "name": "CVE-2025-48041" }, - "timestamp": "2025-09-16T08:22:15.458177853Z", + "timestamp": "2025-12-01T15:58:05.803591848+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -2493,14 +2757,17 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.2.11.3", - "action_statement_timestamp": "2025-09-16T08:22:15.458177853Z" + "action_statement_timestamp": "2025-12-01T15:58:05.803591848+01:00" }, { "vulnerability": { "name": "CVE-2025-48041" }, - "timestamp": "2025-09-16T08:22:15.476910064Z", + "timestamp": "2025-12-01T15:58:05.831175442+01:00", "products": [ + { + "@id": "pkg:github/erlang/otp@OTP-27.3.4.4" + }, { "@id": "pkg:github/erlang/otp@OTP-27.3.4.3" }, @@ -2514,7 +2781,7 @@ "vulnerability": { "name": "CVE-2025-32433" }, - "timestamp": "2025-09-16T08:22:15.495293841Z", + "timestamp": "2025-12-01T15:58:05.860624884+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.0" @@ -2591,13 +2858,13 @@ ], "status": "affected", "action_statement": "Update to any of the following versions: pkg:otp/ssh@5.2.10", - "action_statement_timestamp": "2025-09-16T08:22:15.495293841Z" + "action_statement_timestamp": "2025-12-01T15:58:05.860624884+01:00" }, { "vulnerability": { "name": "CVE-2025-32433" }, - "timestamp": "2025-09-16T08:22:15.513622982Z", + "timestamp": "2025-12-01T15:58:05.887623095+01:00", "products": [ { "@id": "pkg:github/erlang/otp@OTP-27.3.3" From 4cb56c41111d6cbcb6c3f959ae94aae15601dca0 Mon Sep 17 00:00:00 2001 From: Kiko Fernandez-Reyes Date: Mon, 1 Dec 2025 20:53:52 +0100 Subject: [PATCH 4/4] add openvex docs --- system/doc/README.md | 3 + system/doc/docs.exs | 1 + system/doc/guides | 1 + system/doc/vulnerabilities/vulnerabilities.md | 140 ++++++++++++++++++ 4 files changed, 145 insertions(+) create mode 100644 system/doc/vulnerabilities/vulnerabilities.md diff --git a/system/doc/README.md b/system/doc/README.md index 684a71de1e62..7ffa17570f17 100644 --- a/system/doc/README.md +++ b/system/doc/README.md @@ -44,3 +44,6 @@ to use Erlang/OTP and different aspects of working with Erlang/OTP. The guides a interoperability between Erlang and C. * [Embedded Systems User's Guide](embedded/embedded.md) - This section describes the issues that are specific for running Erlang on an embedded system. +* [VEX Statements](vex/vulnerabilities.md) - + This section describes how Erlang/OTP reports OpenVex statements and their meaning + towards third parties. diff --git a/system/doc/docs.exs b/system/doc/docs.exs index a25e7040bb98..cba2bd1dc533 100644 --- a/system/doc/docs.exs +++ b/system/doc/docs.exs @@ -32,6 +32,7 @@ "system_principles/versions.md": [], "system_principles/misc.md": [], "sbom/sbom.md": [], + "vulnerabilities/vulnerabilities.md": [], "embedded/embedded.md": [], "getting_started/getting_started.md": [], "getting_started/seq_prog.md": [], diff --git a/system/doc/guides b/system/doc/guides index 4b3e7309b2d1..78a4afc85687 100644 --- a/system/doc/guides +++ b/system/doc/guides @@ -8,3 +8,4 @@ efficiency_guide:Efficiency Guide tutorial:Interoperability Tutorial embedded:Embedded Systems User's Guide sbom:Software Bill Of Materials +vulnerabilities:VEX Statements diff --git a/system/doc/vulnerabilities/vulnerabilities.md b/system/doc/vulnerabilities/vulnerabilities.md new file mode 100644 index 000000000000..58f6ccc865e8 --- /dev/null +++ b/system/doc/vulnerabilities/vulnerabilities.md @@ -0,0 +1,140 @@ + + +# Vulnerabilities + +[](){: #vulnerabilities } + +## Introduction + +This section describes how Erlang/OTP reports vulnerabilities for Erlang/OTP +CVEs and third party dependencies on which Erlang/OTP builds upon. + +Erlang/OTP reports all vulnerabilities using the [OpenVEX +specification](https://github.com/openvex/spec). This specification allows to +easily describe which CVEs affect which Erlang/OTP versions and specific OTP +applications. It also records which CVEs from third parties affect (or do not +affect) Erlang/OTP. + +Erlang/OTP releases OpenVEX statements under `vex/otp-.openvex.json` in +the [Erlang/OTP Github repository](https://github.com/erlang/otp) in the `master` branch, where +`` corresponds to the number of the Erlang/OTP release. + +## Erlang/OTP VEX Statements + +Erlang/OTP OpenVEX statements specify which Erlang/OTP versions are affected/fixed (e.g., +`pkg:otp/erlang@27.3.1`), as well as the specific Erlang/OTP application number +of all affected versions (e.g., `pkg:otp/ssh@5.2.9`). + +As an example, a snippet of the `vex/otp-27.openvex.json` contains the +vulnerability identified by `CVE-2025-32433`, following by the status of the +vulnerability (`affected`), the affected Erlang/OTP releases, namely `27.3.1` +and `27.3.2`, and the Erlang/OTP application that was vulnerable, `ssh@5.2.9`. +The affected versions are reported using the release version and the +application because it is possible to update the application independently +from the release. +In some cases, there may be an optional action statement that describes a workaround +to avoid the mentioned vulnerability. + +``` +{ + "vulnerability": { + "name": "CVE-2025-32433" + }, + "timestamp": "2025-06-18T12:18:16.661272703+02:00", + "products": [ + { "@id": "pkg:otp/erlang@27.3.1" }, + { "@id": "pkg:otp/erlang@27.3.2" }, + { "@id": "pkg:otp/ssh@5.2.9" } + ], + "status": "affected", + "action_statement": "A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.", + "action_statement_timestamp": "2025-06-18T12:18:16.661272703+02:00" +}, +``` + +The fixed version will be reported in a similar fashion as follows, in the same document. +As an example, there is a new statement for `CVE-2025-32433` with status `fixed`, +that links to the versions that do not suffer from `CVE-2025-32433`, namely +`erlang@27.3.3` and `otp/ssh@5.2.10`. + +``` +{ + "vulnerability": { + "name": "CVE-2025-32433" + }, + "timestamp": "2025-06-18T12:18:16.676540081+02:00", + "products": [ + { "@id": "pkg:otp/erlang@27.3.3" }, + { "@id": "pkg:otp/ssh@5.2.10" } + ], + "status": "fixed" +}, +``` + +## Third Party VEX Statements + +Erlang/OTP generates statements for 3rd parties from which the project depends +on. It is really important to understand the scope of the third party +applications, since Erlang/OTP vendors some libraries as part of the runtime. + +Vendoring means that Erlang/OTP code contains a local copy of a library. +There are numerous use cases for why this is necessary, and we will not cover the use cases here. + +**This excludes dynamically or statically linked libraries during the Erlang/OTP build process. For instance, any security related Erlang application will rely on dynamically or statically linked version of OpenSSL cryptolib.** + +Erlang/OTP reports vulnerabilities for any source code that is vulnerable and +included in the Erlang/OTP release. + +The OpenVEX statements for our third party libraries specify the affected/fixed +version using the commit SHA1 from their respective repository. This is simply +because our third party dependencies are in C/C++ and vulnerability scanners +such as OSV report vulnerabilities in ranges. + +As an example, we mention that the OpenSSL code that Erlang/OTP vendors +is not susceptible for `CVE-2023-6129`, as follows: + +``` +{ + "vulnerability": { + "name": "CVE-2023-6129" + }, + "timestamp": "2025-06-18T12:18:16.47247833+02:00", + "products": [ + { "@id": "pkg:github/openssl/openssl@01d5e2318405362b4de5e670c90d9b40a351d053" } + ], + "status": "not_affected", + "justification": "vulnerable_code_not_present" +} +``` + +Diving into the example, this means that Erlang/OTP vendors a version of `openssl` taken from commit `01d5e2318405362b4de5e670c90d9b40a351d053` from the repository `https://github.com/openssl/openssl/commit/01d5e2318405362b4de5e670c90d9b40a351d053` (version of OpenSSL 3.1.4). The `openssl` code that Erlang/OTP vendors can be found in `./lib/erl_interface/src/openssl/` and `./erts/emulator/openssl/`. The OpenVEX statement claims that the code in those folders is not susceptible to `CVE-2023-6129`. The claim is towards **source code existing in Erlang/OTP**. + +In other words, the `not_affected` status refers to the library that Erlang/OTP vendors for OpenSSL (the library that comes +included with Erlang/OTP). If you build Erlang/OTP and link to any OpenSSL version (e.g., 3.5.2 or even 3.1.4) during the building process, +your project has now a new build and runtime dependency and may be subject to `CVE-2023-6129`. + +## Windows Binaries + +For the time being, Erlang/OTP Windows binaries are not reported in the OpenVEX +specification. +