Patch Package: OTP 25.3.2.16 Git Tag: OTP-25.3.2.16 Date: 2024-12-05 Trouble Report Id: OTP-19240, OTP-19311, OTP-19326, OTP-19330, OTP-19350, OTP-19352, OTP-19365, OTP-19379, OTP-19380 Seq num: CVE-2024-53846, ERIERL-1157, GH-8755, GH-8829, GH-8929, GH-8983, GH-9009, OTP-19240, OTP-19532, PR-8840, PR-8878, PR-8980, PR-8995, PR-9008, PR-9053, PR-9080, PR-9130 System: OTP Release: 25 Application: common_test-1.24.0.5, erts-13.2.2.12, inets-8.3.1.5, public_key-1.13.3.5, ssh-4.15.3.8, ssl-10.9.1.7, stdlib-4.3.1.6 Predecessor: OTP 25.3.2.15 Check out the git tag OTP-25.3.2.16, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below. --------------------------------------------------------------------- --- common_test-1.24.0.5 -------------------------------------------- --------------------------------------------------------------------- The common_test-1.24.0.5 application can be applied independently of other applications on a full OTP 25 installation. --- Fixed Bugs and Malfunctions --- OTP-19365 Application(s): common_test Related Id(s): ERIERL-1157, PR-9080 With this change, cth_surefire hook module handles group path reduction for a skipped group. This fixes a bug manifesting with improper group path for a group executed after a group which was skipped. Full runtime dependencies of common_test-1.24.0.5: compiler-6.0, crypto-4.5, debugger-4.1, erts-7.0, ftp-1.0, inets-6.0, kernel-8.4, observer-2.1, runtime_tools-1.8.16, sasl-2.5, snmp-5.1.2, ssh-4.0, stdlib-4.0, syntax_tools-1.7, tools-3.2, xmerl-1.3.8 --------------------------------------------------------------------- --- erts-13.2.2.12 -------------------------------------------------- --------------------------------------------------------------------- Note! The erts-13.2.2.12 application *cannot* be applied independently of other applications on an arbitrary OTP 25 installation. On a full OTP 25 installation, also the following runtime dependencies have to be satisfied: -- kernel-8.5 (first satisfied in OTP 25.1) -- stdlib-4.1 (first satisfied in OTP 25.1) --- Fixed Bugs and Malfunctions --- OTP-19330 Application(s): erts Related Id(s): GH-8983, PR-9008 Fix lock order violation if a NIF monitor down callback calls enif_whereis_pid. Would cause debug emulator to crash but could potentially lead to deadlocks in optimized emulator. Full runtime dependencies of erts-13.2.2.12: kernel-8.5, sasl-3.3, stdlib-4.1 --------------------------------------------------------------------- --- inets-8.3.1.5 --------------------------------------------------- --------------------------------------------------------------------- The inets-8.3.1.5 application can be applied independently of other applications on a full OTP 25 installation. --- Fixed Bugs and Malfunctions --- OTP-19379 Application(s): inets Related Id(s): GH-8829, PR-8878 Fixed a bug where calling httpc:set_options/2 when one of keys: ipfamily or unix_socket, was not present, would cause the other value to get overriden by the default value. The validation of these options was also improved. Full runtime dependencies of inets-8.3.1.5: erts-13.0, kernel-6.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-4.0 --------------------------------------------------------------------- --- public_key-1.13.3.5 --------------------------------------------- --------------------------------------------------------------------- The public_key-1.13.3.5 application can be applied independently of other applications on a full OTP 25 installation. --- Fixed Bugs and Malfunctions --- OTP-19240 Application(s): public_key Related Id(s): PR-8840, OTP-19532 If both ext-key-usage and key-usage are defined for a certificate it should be checked that these usages are consistent with each other. This will have the affect that such certificates where the ext-key-usages is marked as critical and the usages is consistent with the key-use it can be considered valid without mandatory application specific checks for the ext-key-useage extension. OTP-19350 Application(s): public_key Related Id(s): GH-9009, PR-9053 Handle decoding of EDDSA key properly, when decoding a PEM file that contains only the public EDDSA key. Full runtime dependencies of public_key-1.13.3.5: asn1-3.0, crypto-4.6, erts-6.0, kernel-3.0, stdlib-3.5 --------------------------------------------------------------------- --- ssh-4.15.3.8 ---------------------------------------------------- --------------------------------------------------------------------- The ssh-4.15.3.8 application can be applied independently of other applications on a full OTP 25 installation. --- Fixed Bugs and Malfunctions --- OTP-19326 Application(s): ssh Related Id(s): GH-8929, PR-8995 With this change, ssh connection does not crash upon receiving exit-signal message for an already terminated channel. Full runtime dependencies of ssh-4.15.3.8: crypto-5.0, erts-11.0, kernel-6.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-3.15 --------------------------------------------------------------------- --- ssl-10.9.1.7 ---------------------------------------------------- --------------------------------------------------------------------- Note! The ssl-10.9.1.7 application *cannot* be applied independently of other applications on an arbitrary OTP 25 installation. On a full OTP 25 installation, also the following runtime dependency has to be satisfied: -- stdlib-4.1 (first satisfied in OTP 25.1) --- Fixed Bugs and Malfunctions --- OTP-19311 Application(s): ssl Related Id(s): PR-8980 Avoid generating an internal alert for case that should have been an orderly shutdown by the supervisor. OTP-19352 Application(s): ssl Related Id(s): PR-9130, CVE-2024-53846, OTP-19240 If present, extended key-usage TLS (SSL) role check (pk-clientAuth, pk-serverAuth) should always be performed for peer-cert. An intermediate CA cert may relax the requirement if AnyExtendedKeyUsage purpose is present. In OTP-25.3.2.8, OTP-26.2 and OTP-27.0 these requirements became too relaxed. There where two problems, firstly the peer cert extension was only checked if it was marked critical, and secondly the CA cert check did not assert the relaxed AnyExtendedKeyUsage purpose. This could result in that certificates might be misused for purposes not intended by the certificate authority. Thanks to Bryan Paxton for reporting the issue. Full runtime dependencies of ssl-10.9.1.7: crypto-5.0, erts-10.0, inets-5.10.7, kernel-8.4, public_key-1.11.3, runtime_tools-1.15.1, stdlib-4.1 --------------------------------------------------------------------- --- stdlib-4.3.1.6 -------------------------------------------------- --------------------------------------------------------------------- Note! The stdlib-4.3.1.6 application *cannot* be applied independently of other applications on an arbitrary OTP 25 installation. On a full OTP 25 installation, also the following runtime dependencies have to be satisfied: -- erts-13.1 (first satisfied in OTP 25.1) -- kernel-8.5.1 (first satisfied in OTP 25.1.1) --- Fixed Bugs and Malfunctions --- OTP-19380 Application(s): stdlib Related Id(s): GH-8755 Fixed an error in uri_string:percent_decode spec Full runtime dependencies of stdlib-4.3.1.6: compiler-5.0, crypto-4.5, erts-13.1, kernel-8.5.1, sasl-3.0 --------------------------------------------------------------------- --- Thanks to ------------------------------------------------------- --------------------------------------------------------------------- Marko Mindek, zmstone --------------------------------------------------------------------- --------------------------------------------------------------------- ---------------------------------------------------------------------