Patch Package OTP 22.3.4.27 Released
Erlang/OTP
otp@REDACTED
Mon Mar 18 17:56:31 CET 2024
Patch Package: OTP 22.3.4.27
Git Tag: OTP-22.3.4.27
Date: 2024-03-18
Trouble Report Id: OTP-18169, OTP-18170, OTP-18175, OTP-18197,
OTP-18258, OTP-18897, OTP-19002
Seq num: ERIERL-1041, GH-6165, GH-6309, PR-6134,
PR-6135, PR-6142, PR-6213, PR-6324
System: OTP
Release: 22
Application: erts-10.7.2.19, ssh-4.9.1.5
Predecessor: OTP 22.3.4.26
Check out the git tag OTP-22.3.4.27, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- POTENTIAL INCOMPATIBILITIES -------------------------------------
---------------------------------------------------------------------
OTP-18897 Application(s): ssh
With this change (being response to CVE-2023-48795),
ssh can negotiate "strict KEX" OpenSSH extension with
peers supporting it; also
'chacha20-poly1305@REDACTED' algorithm becomes a
less preferred cipher.
If strict KEX availability cannot be ensured on both
connection sides, affected encryption modes(CHACHA and
CBC) can be disabled with standard ssh configuration.
This will provide protection against vulnerability, but
at a cost of affecting interoperability. See
Configuring algorithms in SSH User's Guide.
---------------------------------------------------------------------
--- erts-10.7.2.19 --------------------------------------------------
---------------------------------------------------------------------
Note! The erts-10.7.2.19 application *cannot* be applied
independently of other applications on an arbitrary OTP 22
installation.
On a full OTP 22 installation, also the following runtime
dependency has to be satisfied:
-- kernel-6.5.2.5 (first satisfied in OTP 22.3.4.25)
--- Fixed Bugs and Malfunctions ---
OTP-18169 Application(s): erts
Related Id(s): PR-6134
A race could cause process_info(Pid, message_queue_len)
on other processes to return invalid results.
OTP-18170 Application(s): erts
Related Id(s): PR-6135
Fixed reduction counting for handling process system
tasks.
OTP-18175 Application(s): erts
Related Id(s): PR-6142
Priority elevation of terminating processes did not
work which could cause execution of such processes to
be delayed.
OTP-18197 Application(s): erts
Related Id(s): GH-6165, PR-6213
The erlang:monotonic_time/1, erlang:system_time/1,
erlang:time_offset/1, and os:system_time/1 BIFs
erroneously failed when passed the argument native.
OTP-18258 Application(s): erts
Related Id(s): GH-6309, PR-6324
Notifications about available distribution data sent to
distribution controller processes could be lost.
Distribution controller processes can be used when
implementing an alternative distribution carrier. The
default distribution over tcp was not effected and the
bug was also not present on x86/x86_64 platforms.
Full runtime dependencies of erts-10.7.2.19: kernel-6.5.2.5,
sasl-3.3, stdlib-3.5
---------------------------------------------------------------------
--- ssh-4.9.1.5 -----------------------------------------------------
---------------------------------------------------------------------
Note! The ssh-4.9.1.5 application *cannot* be applied independently
of other applications on an arbitrary OTP 22 installation.
On a full OTP 22 installation, also the following runtime
dependency has to be satisfied:
-- crypto-4.6.4 (first satisfied in OTP 22.2.2)
--- Fixed Bugs and Malfunctions ---
OTP-18897 Application(s): ssh
*** POTENTIAL INCOMPATIBILITY ***
With this change (being response to CVE-2023-48795),
ssh can negotiate "strict KEX" OpenSSH extension with
peers supporting it; also
'chacha20-poly1305@REDACTED' algorithm becomes a
less preferred cipher.
If strict KEX availability cannot be ensured on both
connection sides, affected encryption modes(CHACHA and
CBC) can be disabled with standard ssh configuration.
This will provide protection against vulnerability, but
at a cost of affecting interoperability. See
Configuring algorithms in SSH User's Guide.
OTP-19002 Application(s): ssh
Related Id(s): ERIERL-1041
With this change, KEX strict terminal message is
emitted with debug verbosity.
Full runtime dependencies of ssh-4.9.1.5: crypto-4.6.4, erts-9.0,
kernel-5.3, public_key-1.6.1, stdlib-3.4.1
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
More information about the erlang-announce
mailing list