Patch Package OTP 23.2.6 Released

Erlang/OTP otp@REDACTED
Thu Feb 25 10:21:04 CET 2021


Patch Package:           OTP 23.2.6
Git Tag:                 OTP-23.2.6
Date:                    2021-02-25
Trouble Report Id:       OTP-17173, OTP-17205, OTP-17220
Seq num:                 ERIERL-581, ERIERL-608
System:                  OTP
Release:                 23
Application:             inets-7.3.2, ssh-4.10.8
Predecessor:             OTP 23.2.5

 Check out the git tag OTP-23.2.6, and build a full OTP system
 including documentation. Apply one or more applications from this
 build as patches to your installation using the 'otp_patch_apply'
 tool. For information on install requirements, see descriptions for
 each application version below.

 ---------------------------------------------------------------------
 --- inets-7.3.2 -----------------------------------------------------
 ---------------------------------------------------------------------

 The inets-7.3.2 application can be applied independently of other
 applications on a full OTP 23 installation.

 --- Fixed Bugs and Malfunctions ---

  OTP-17205    Application(s): inets
               Related Id(s): ERIERL-608

               Solves CVE-2021-27563, that is make sure no form of
               relative path can be used to go outside webservers
               directory.


  OTP-17220    Application(s): inets

               Make sure HEAD requests rejects directory links


 Full runtime dependencies of inets-7.3.2: erts-6.0, kernel-3.0,
 mnesia-4.12, runtime_tools-1.8.14, ssl-5.3.4, stdlib-3.5


 ---------------------------------------------------------------------
 --- ssh-4.10.8 ------------------------------------------------------
 ---------------------------------------------------------------------

 The ssh-4.10.8 application can be applied independently of other
 applications on a full OTP 23 installation.

 --- Fixed Bugs and Malfunctions ---

  OTP-17173    Application(s): ssh
               Related Id(s): ERIERL-581

               Don't timeout slow connection setups and tear-downs. A
               rare crash risk for the controller is also removed.


 Full runtime dependencies of ssh-4.10.8: crypto-4.6.4, erts-9.0,
 kernel-5.3, public_key-1.6.1, stdlib-3.4.1


 ---------------------------------------------------------------------
 ---------------------------------------------------------------------
 ---------------------------------------------------------------------



More information about the erlang-announce mailing list