Erlang/OTP 25.3.2.18

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:25.3.2.18
Erlang/OTP 25.3.2.18
View on github.com
Patch Package OTP 25.3.2.18
Git Tag OTP-25.3.2.18
Date 2025-02-20
Issue Id
CVE-2025-26618
ERIERL-1173
System OTP
Release 25
Application

erts-13.2.2.14 #

Note! The erts-13.2.2.14 application *cannot* be applied independently of other applications on an arbitrary OTP 25 installation. On a full OTP 25 installation, also the following runtime dependencies have to be satisfied: -- kernel-8.5 (first satisfied in OTP 25.1) -- stdlib-4.1 (first satisfied in OTP 25.1)

OTP-19495
Application(s):
erts
Related Id(s):
GH-8208 , PR-8209

Fixed BEAM crash when a custom thread sends a large map (>128 keys) externally encoded with for example erl_drv_send_term().

Full runtime dependencies of erts-13.2.2.14: kernel-8.5, sasl-3.3, stdlib-4.1

public_key-1.13.3.6 #

The public_key-1.13.3.6 application can be applied independently of other applications on a full OTP 25 installation.

OTP-19240
Application(s):
public_key
Related Id(s):
GH-9208 , PR-9286

Consider keyCertSign to compatible with extended key usage for TLS client/server auth in CAs, adhere to wide spread implementations

Full runtime dependencies of public_key-1.13.3.6: asn1-3.0, crypto-4.6, erts-6.0, kernel-3.0, stdlib-3.5

ssh-4.15.3.10 #

The ssh-4.15.3.10 application can be applied independently of other applications on a full OTP 25 installation.

OTP-19466
Application(s):
ssh
Related Id(s):
ERIERL-1173 , CVE-2025-26618

SFTP packets exceeding max packet size are not processed and dropped.

Full runtime dependencies of ssh-4.15.3.10: crypto-5.0, erts-11.0, kernel-6.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-3.15

Thanks To #

Simon Cornish