After becoming aware that erlang ships its internal copy of zlib (thanks to flameeyes), I checked the version included. Current stable 11.2.1 has zlib 1.1.4 while the latest in testing (11.2.5) has 2.2.3 (current zlib). Between that there have been fixed at least two security issues. See bug 99751 (A1) and bug 61749 (A3). As zlib is patched, I cannot simply remove it and build against the system one, but upstream promised me to enable that in version 12. My proposal: Stabilise 11.2.5 immediately (no bug reports in the few days it has been in the tree).
Arches please stabilise dev-lang/erlang-11.2.5
ppc stable
sparc stable.
Changing status, as all arches are stable
Thx Opfer. I tend to vote NO.
CVE-2005-1849 and CVE-2004-0797 from the two originally cited zlib bugs are both denial-of-service attacks which IMHO means that this one is severity B3.
Thanks Ulrich. I vote NO.
I vote no.
closing without glsa then. Feel free to reopen if you disagree, as always :)