File 2525-Add-information-about-compression-based-attacks-to-h.patch of Package erlang

From 301ff084c44693fbb1633ea07afbe7d8e2f3b1bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20W=C4=85sowski?= <michal@erlang.org>
Date: Sat, 7 Mar 2026 18:34:54 +0100
Subject: [PATCH 5/6] Add information about compression-based attacks to
 hardening guide

---
 lib/ssh/doc/src/hardening.xml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/lib/ssh/doc/src/hardening.xml b/lib/ssh/doc/src/hardening.xml
index cc530ace0e..5b3b9747e7 100644
--- a/lib/ssh/doc/src/hardening.xml
+++ b/lib/ssh/doc/src/hardening.xml
@@ -117,6 +117,28 @@
 	<icaption>SSH server timeouts</icaption>
       </image>
     </section>
+    <section>
+      <title>Resilience to compression-based attacks</title>
+      <p>SSH supports compression of the data stream.
+      </p>
+      <p>Reasonable finite
+      <seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl>
+      option is highly recommended if compression is used to prevent excessive resource
+      usage by the compression library.
+      See <seeguide marker="#counters-and-parallelism">Counters and parallelism</seeguide>.
+      </p>
+      <p>The <c>'zlib@openssh.com'</c> algorithm is recommended because it only activates
+      after successful authentication.
+      </p>
+      <p>The <c>'zlib'</c> algorithm is not recommended because it activates before
+      authentication completes, allowing unauthenticated clients to expose potential
+      vulnerabilities in compression libraries, and increases attack surface of
+      compression-based side-channel and traffic-analysis attacks.
+      </p>
+      <p>In both algorithms decompression is protected by a size limit that prevents
+      excessive memory consumption.
+      </p>
+    </section>
   </section>
 
   
-- 
2.51.0