Patch Package: OTP 22.3.4.4 Git Tag: OTP-22.3.4.4 Date: 2020-07-22 Trouble Report Id: OTP-16764, OTP-16766, OTP-16767, OTP-16771, OTP-16772 Seq num: ERIERL-509, ERIERL-512, ERL-1304 System: OTP Release: 22 Application: crypto-4.6.5.1, erts-10.7.2.2, ssl-9.6.2.2 Predecessor: OTP 22.3.4.3 Check out the git tag OTP-22.3.4.4, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below. --------------------------------------------------------------------- --- crypto-4.6.5.1 -------------------------------------------------- --------------------------------------------------------------------- The crypto-4.6.5.1 application can be applied independently of other applications on a full OTP 22 installation. --- Improvements and New Features --- OTP-16771 Application(s): crypto Related Id(s): ERIERL-509 Implemented a workaround to allow fallback from using the EVP API for Diffie-Hellman key generation Full runtime dependencies of crypto-4.6.5.1: erts-9.0, kernel-5.3, stdlib-3.4 --------------------------------------------------------------------- --- erts-10.7.2.2 --------------------------------------------------- --------------------------------------------------------------------- Note! The erts-10.7.2.2 application *cannot* be applied independently of other applications on an arbitrary OTP 22 installation. On a full OTP 22 installation, also the following runtime dependency has to be satisfied: -- kernel-6.5.1 (first satisfied in OTP 22.2) --- Fixed Bugs and Malfunctions --- OTP-16766 Application(s): erts Related Id(s): ERL-1304 An unintentional reuse of an already used emulator internal event object could cause a wakeup signal to a thread to be lost. In worst case this could cause the runtime system to hang. This hang was however quite rare. OTP-16772 Application(s): erts Related Id(s): ERL-1304 NIF threads and driver threads on non-Linux systems leaked internal resources when terminating. On Windows these resources were one event per thread. On most other systems one mutex and one condition variable per thread. On these other systems that also lacked pthread_cond_timedwait() also a pipe with its file descriptors was leaked. Full runtime dependencies of erts-10.7.2.2: kernel-6.5.1, sasl-3.3, stdlib-3.5 --------------------------------------------------------------------- --- ssl-9.6.2.2 ----------------------------------------------------- --------------------------------------------------------------------- Note! The ssl-9.6.2.2 application *cannot* be applied independently of other applications on an arbitrary OTP 22 installation. On a full OTP 22 installation, also the following runtime dependency has to be satisfied: -- public_key-1.7.2 (first satisfied in OTP 22.3) --- Fixed Bugs and Malfunctions --- OTP-16764 Application(s): ssl Data deliver with ssl:recv/2,3 could fail for when using packet mode. This has been fixed by correcting the flow control handling of passive sockets when packet mode is used. OTP-16767 Application(s): ssl Related Id(s): ERIERL-512 Fix the internal handling of options 'verify' and 'verify_fun'. This change fixes a vulnerability when setting the ssl option 'verify' to verify_peer in a continued handshake won't take any effect resulting in the acceptance of expired peer certificates. Full runtime dependencies of ssl-9.6.2.2: crypto-4.2, erts-10.0, inets-5.10.7, kernel-6.0, public_key-1.7.2, stdlib-3.5 --------------------------------------------------------------------- --------------------------------------------------------------------- ---------------------------------------------------------------------