Unauthenticated Remote Code Execution in Erlang/OTP SSH

https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2

Not much details and unfortunately I don't know much Erlang (yet), but this one seems pretty interesting!

CVE-2025-32433

@buherator @p @mint more fun dropped, not sure who has the old/sshocial frontends enabled

@i @p @buherator Don't think I ever enabled it, I even had to disable Gopher since it calls timeline fetch directly with no ratelimiting, letting anyone with an F5 key DoS the instance.

@i @buherator @p pede make a gopher interface for rebolter

@i @buherator @mint gat dammit

@mint @buherator @i All right, it's gonna be a weird day.

@p @i @buherator @mint pede implement RFC9421 properly please by tuesday #mutualaid

@sysrq @buherator @i @mint I had to run /lib/rfc/grabrfc because I didn't have that one.

Am I implementing it improperly? I basically just copied what Mastodon was doing.

I am going to shit a thing out related to thread.

@p @i @buherator @mint
I dunno if you are or not I'm just still annoyed over a bug in Erlang that's been fixed for five months now that affects Pleroma.

@p @buherator @i @mint
I don't intend to shut up over it.

@sysrq @p @buherator @mint the rfc wasn't finished by the time mastodon did theirs, so people are forced to ignore the later 13 draft revisions of subtle differences

@sysrq @buherator @i @mint

> I'm just still annoyed over a bug in Erlang that's been fixed for five months now that affects Pleroma.

Jill Sandwich.

@sysrq @buherator @i @mint You say that like shutting up is the sensible strategy.
gas_the_normies.png

@i @mint @buherator The Github link had basically no useful information, but Fyodor never lets you down: https://seclists.org/oss-sec/2025/q2/52

@buherator yeah, more details will be published after giving people time to patch.

@p @i @buherator @mint Was wondering why I saw 4 OTP releases yesterday in my Inbox. Now I know the answer.

@phnt @buherator @i @mint