Patch Package:           OTP 29.0.1
Git Tag:                 OTP-29.0.1
Date:                    2026-05-27
Trouble Report Id:       OTP-20112, OTP-20129, OTP-20130, OTP-20134,
                         OTP-20138, OTP-20139, OTP-20140, OTP-20141,
                         OTP-20146
Seq num:                 CVE-2026-42789, CVE-2026-42790, ERIERL-1321,
                         GH-11088, PR-11007, PR-11089, PR-11100,
                         PR-11107, PR-11123, PR-11124, PR-11125,
                         PR-11135, PR-11136
System:                  OTP
Release:                 29
Application:             compiler-10.0.1, erts-17.0.1, kernel-11.0.1,
                         public_key-1.21.1, snmp-5.20.4, ssl-11.7.1
Predecessor:             OTP 29.0

Check out the git tag OTP-29.0.1, and build a full OTP system including
documentation. Apply one or more applications from this build as patches to your
installation using the 'otp_patch_apply' tool. For information on install
requirements, see descriptions for each application version below.

# POTENTIAL INCOMPATIBILITIES

- 'public_key', Adhere to RFC 9525, and remove support for legacy fallback to
  check hostname against subject common name. Also improve error handling
  creating two separate errors for name constraint check for subject names and
  subject alternative names.

  'ssl'. Error handling is slightly changed to better reflect public_key
  behaviour.

  Own Id: OTP-20130
  Application(s): public_key, ssl
  Related Id(s): PR-11124, CVE-2026-42790

# compiler-10.0.1

The compiler-10.0.1 application can be applied independently of other
applications on a full OTP 29 installation.

## Fixed Bugs and Malfunctions

- In rare circumstances, optimization of boolean expressions could invert the
  boolean value.

  Own Id: OTP-20140
  Related Id(s): GH-11088, PR-11089

- The compiler could crash when compiling code using native records in certain
  ways.

  Own Id: OTP-20146
  Related Id(s): PR-11135

> #### Full runtime dependencies of compiler-10.0.1
>
> crypto-5.1, erts-13.0, kernel-8.4, stdlib-8.0

# erts-17.0.1

The erts-17.0.1 application can be applied independently of other applications
on a full OTP 29 installation.

## Fixed Bugs and Malfunctions

- Comparison of two native records could return an incorrect result or crash the
  runtime system.

  Own Id: OTP-20139
  Related Id(s): PR-11107

> #### Full runtime dependencies of erts-17.0.1
>
> kernel-9.0, sasl-3.3, stdlib-4.1

# kernel-11.0.1

The kernel-11.0.1 application can be applied independently of other applications
on a full OTP 29 installation.

## Fixed Bugs and Malfunctions

- SCTP peeloff of an IPv6 socket, the peeled-off socket does not inherit the
  parent options as expected.

  Own Id: OTP-20134
  Related Id(s): PR-11007

> #### Full runtime dependencies of kernel-11.0.1
>
> crypto-5.8, erts-17.0, sasl-3.0, stdlib-8.0

# public_key-1.21.1

The public_key-1.21.1 application can be applied independently of other
applications on a full OTP 29 installation.

## Fixed Bugs and Malfunctions

- OCSP responder certificates are now checked for expiration before being
  accepted as authorized responders. Previously, expired or not-yet-valid
  responder certificates were incorrectly accepted when verifying OCSP
  responses.

  Own Id: OTP-20112
  Related Id(s): PR-11136

- Corrected basic constraint path validation check in accordance to RFC 5280.

  Own Id: OTP-20129
  Related Id(s): PR-11123, CVE-2026-42789

- 'public_key', Adhere to RFC 9525, and remove support for legacy fallback to
  check hostname against subject common name. Also improve error handling
  creating two separate errors for name constraint check for subject names and
  subject alternative names.

  'ssl'. Error handling is slightly changed to better reflect public_key
  behaviour.

  Own Id: OTP-20130
  Related Id(s): PR-11124, CVE-2026-42790

  *** POTENTIAL INCOMPATIBILITY ***

> #### Full runtime dependencies of public_key-1.21.1
>
> asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0

# snmp-5.20.4

The snmp-5.20.4 application can be applied independently of other applications
on a full OTP 29 installation.

## Fixed Bugs and Malfunctions

- Fixed a bug in snmpm_usm:generate_outgoing_msg/5 that caused a badmatch crash
  when constructing an error response for an unknown user/engineID combination.

  Own Id: OTP-20138
  Related Id(s): ERIERL-1321, PR-11100

> #### Full runtime dependencies of snmp-5.20.4
>
> asn1-5.4, crypto-4.6, erts-12.0, kernel-8.0, mnesia-4.12,
> runtime_tools-1.8.14, stdlib-5.0

# ssl-11.7.1

Note! The ssl-11.7.1 application _cannot_ be applied independently of other
applications on an arbitrary OTP 29 installation.

       On a full OTP 29 installation, also the following runtime
       dependency has to be satisfied:
       -- public_key-1.21.1 (first satisfied in OTP 29.0.1)

## Fixed Bugs and Malfunctions

- 'public_key', Adhere to RFC 9525, and remove support for legacy fallback to
  check hostname against subject common name. Also improve error handling
  creating two separate errors for name constraint check for subject names and
  subject alternative names.

  'ssl'. Error handling is slightly changed to better reflect public_key
  behaviour.

  Own Id: OTP-20130
  Related Id(s): PR-11124, CVE-2026-42790

  *** POTENTIAL INCOMPATIBILITY ***

- Could cause server to terminate a connection without an alert towards a bad
  client.

  Own Id: OTP-20141
  Related Id(s): PR-11125

> #### Full runtime dependencies of ssl-11.7.1
>
> crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.21.1,
> runtime_tools-1.15.1, stdlib-7.0

# Thanks to

Martin Hässler, Paul Guyot