[Koha] Koha Digest, Vol 234, Issue 17
David Cook
dcook at prosentient.com.au
Tue Apr 29 12:09:26 NZST 2025
Hi Justin,
Always good to see another Australian using Koha!
I think you're right. I don't think this is relevant for RabbitMQ. That said, it looks like Ubuntu pushed out a security release for RabbitMQ on 27 March 2025 for a different CVE.
If you're using Debian/Ubuntu and have unattended upgrades on or frequently update your server, then you'll generally be fine.
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
-----Original Message-----
Message: 1
Date: Mon, 28 Apr 2025 11:11:30 +1000
From: Justin Dowswell <justin.dowswell at tenantsunion.org.au>
To: koha at lists.katipo.co.nz
Subject: [Koha] Erlang/OTP SSH (CVE-2025-32433) - is rabbitmq-server
affected?
Message-ID:
<CAGzh+UNnq-_Bs3r=5F=HjbcjtATTY2=+rcFywMxU9zhau-6J1Q at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hey everyone,
Been flagged by my VPS provider that our Koha instance may be affected by this vulnerability. It seems rabbitmq-server has some OTP dependencies, though not the erlang-ssh package.
Here is the official advisory:
https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
On my koha instance these erlang packages are installed:
erlang-asn1
erlang-base
erlang-crypto
erlang-eldap
erlang-ftp
erlang-inets
erlang-mnesia
erlang-os-mon
erlang-parsetools
erlang-public-key
erlang-runtime-tools
erlang-snmp
erlang-ssl
erlang-syntax-tools
erlang-tftp
erlang-tools
erlang-xmerl
So to me it looks like this flag is a false positive, but thought best to reach out here.
Thanks in advance,
Justin Dowswell (he/him)
Technology Coordinator
Tenants' Union of NSW
02 8117 3721
More information about the Koha
mailing list