Bug 2489552 - CVE-2026-48858 erlang: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via unvalidated PASV response IP address [epel-all]
Summary: CVE-2026-48858 erlang: Erlang/OTP ftp: Server-Side Request Forgery (SSRF) via...
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: erlang
Version: epel10
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
Assignee: Richard W.M. Jones
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["b742bb48-b76d-49a4-921e-5...
Depends On:
Blocks: CVE-2026-48858
TreeView+ depends on / blocked
 
Reported: 2026-06-16 21:08 UTC by Christopher Lusk
Modified: 2026-07-10 17:41 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Christopher Lusk 2026-06-16 21:08:16 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Peter Lemenkov 2026-07-10 17:41:18 UTC
This is delivered for EL9/EL10 via the CentOS Messaging SIG rather than EPEL. Backported erlang builds addressing this CVE are being prepared for c9s and c10s (Messaging SIG); users can obtain them with `dnf install centos-release-messaging` (works on CentOS Stream, RHEL, AlmaLinux, and Rocky). The builds are working their way through the SIG testing tag and will reach stable soon enough. Will update once that lands.


Note You need to log in before you can comment on or make changes to this bug.