From otp@REDACTED Mon Jun 16 11:06:18 2025 From: otp@REDACTED (Erlang/OTP) Date: Mon, 16 Jun 2025 11:06:18 +0200 (CEST) Subject: Patch Package OTP 27.3.4.1 Released Message-ID: <20250616090618.923EB25464B@hel.cslab.ericsson.net> Patch Package: OTP 27.3.4.1 Git Tag: OTP-27.3.4.1 Date: 2025-06-16 Trouble Report Id: OTP-19634, OTP-19635, OTP-19637, OTP-19638, OTP-19640, OTP-19646, OTP-19647, OTP-19649, OTP-19653, OTP-19658, OTP-19659, OTP-19662, OTP-19667, OTP-19676 Seq num: CVE-2025-4748, ERIERL-1225, ERIERL-1235, GH-6463, GH-9102, GH-9722, GH-9771, GH-9816, GH-9841, GH-9875, PR-9103, PR-9691, PR-9838, PR-9846, PR-9849, PR-9859, PR-9876, PR-9896, PR-9897, PR-9898, PR-9905, PR-9912, PR-9941 System: OTP Release: 27 Application: asn1-5.3.4.1, eldap-1.2.14.1, kernel-10.2.7.1, ssh-5.2.11.1, ssl-11.2.12.1, stdlib-6.2.2.1, xmerl-2.1.3.1 Predecessor: OTP 27.3.4 Check out the git tag OTP-27.3.4.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below. # OTP-27.3.4.1 ## Fixed Bugs and Malfunctions - Disable warnings as error for `ex_doc` when any Erlang/OTP application has been disabled by configure. Own Id: OTP-19646 Related Id(s): GH-9875, PR-9876 # asn1-5.3.4.1 The asn1-5.3.4.1 application can be applied independently of other applications on a full OTP 27 installation. ## Fixed Bugs and Malfunctions - The ASN.1 compiler could generate code that would cause Dialyzer with the `unmatched_returns` option to emit warnings. Own Id: OTP-19638 Related Id(s): GH-9841, PR-9846 > #### Full runtime dependencies of asn1-5.3.4.1 > > erts-14.0, kernel-9.0, stdlib-5.0 # eldap-1.2.14.1 The eldap-1.2.14.1 application can be applied independently of other applications on a full OTP 27 installation. ## Fixed Bugs and Malfunctions - With this change eldap's 'not' function will have specs fixed. Own Id: OTP-19658 Related Id(s): PR-9859 > #### Full runtime dependencies of eldap-1.2.14.1 > > asn1-3.0, erts-6.0, kernel-3.0, ssl-5.3.4, stdlib-3.4 # kernel-10.2.7.1 Note! The kernel-10.2.7.1 application _cannot_ be applied independently of other applications on an arbitrary OTP 27 installation. On a full OTP 27 installation, also the following runtime dependency has to be satisfied: -- erts-15.2.5 (first satisfied in OTP 27.3.2) ## Fixed Bugs and Malfunctions - A remote shell can now exit by closing the input stream, without terminating the remote node. Own Id: OTP-19667 Related Id(s): PR-9912 ## Improvements and New Features - Document default buffer sizes Own Id: OTP-19640 Related Id(s): GH-9722 > #### Full runtime dependencies of kernel-10.2.7.1 > > crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0 # ssh-5.2.11.1 The ssh-5.2.11.1 application can be applied independently of other applications on a full OTP 27 installation. ## Fixed Bugs and Malfunctions - Various channel closing robustness improvements. Avoid crashes when channel handling process closes channel and immediately exits. Avoid breaking the protocol by sending duplicated channel-close messages. Cleanup channels which timeout during closing procedure. Own Id: OTP-19634 Related Id(s): GH-9102, PR-9103 - Improved interoperability with clients acting as Paramiko. Own Id: OTP-19637 Related Id(s): GH-6463, PR-9838 > #### Full runtime dependencies of ssh-5.2.11.1 > > crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, > stdlib-5.0, stdlib-6.0 # ssl-11.2.12.1 Note! The ssl-11.2.12.1 application _cannot_ be applied independently of other applications on an arbitrary OTP 27 installation. On a full OTP 27 installation, also the following runtime dependency has to be satisfied: -- public_key-1.16.4 (first satisfied in OTP 27.1.3) ## Fixed Bugs and Malfunctions - hs_keylog callback properly handle alert in initial states, where encryption is not yet used. Also add keylog callback invocation for corner-case where server alert is encrypted with application secrets as client is already in connection state. Own Id: OTP-19635 Related Id(s): ERIERL-1235, PR-9849 ## Improvements and New Features - The documentation for SSL option `verify_fun` has been improved. Own Id: OTP-19676 Related Id(s): PR-9691 > #### Full runtime dependencies of ssl-11.2.12.1 > > crypto-5.0, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.16.4, > runtime_tools-1.15.1, stdlib-6.0 # stdlib-6.2.2.1 The stdlib-6.2.2.1 application can be applied independently of other applications on a full OTP 27 installation. ## Fixed Bugs and Malfunctions - The `save_module/1` command in the shell now saves both the locally defined records and the imported records using the `rr/1` command. Own Id: OTP-19647 Related Id(s): GH-9816, PR-9897 - It's now possible to write `lists:map(fun is_atom/1, [])` or `lists:map(fun my_func/1, [])`, in the shell, instead of `lists:map(fun erlang:is_atom/1, [])` or `lists:map(fun shell_default:my_func/1, [])`. Own Id: OTP-19649 Related Id(s): GH-9771, PR-9898 - Properly strip the leading `/` and drive letter from filepaths when zipping and unzipping archives. Thanks to Wander Nauta for finding and responsibly disclosing this vulnerability to the Erlang/OTP project. Own Id: OTP-19653 Related Id(s): PR-9941, CVE-2025-4748 - Shell no longer crashes when requesting to autocomplete map keys containing non-atoms. Own Id: OTP-19659 Related Id(s): PR-9896 - A remote shell can now exit by closing the input stream, without terminating the remote node. Own Id: OTP-19667 Related Id(s): PR-9912 > #### Full runtime dependencies of stdlib-6.2.2.1 > > compiler-5.0, crypto-4.5, erts-15.0, kernel-10.0, sasl-3.0 # xmerl-2.1.3.1 The xmerl-2.1.3.1 application can be applied independently of other applications on a full OTP 27 installation. ## Fixed Bugs and Malfunctions - The type specs of xmerl_scan:file/2 and xmerl_scan:string/2 has been updated to return `dynamic/0`. Due to hook functions they can return any user defined term. Own Id: OTP-19662 Related Id(s): ERIERL-1225, PR-9905 > #### Full runtime dependencies of xmerl-2.1.3.1 > > erts-6.0, kernel-8.4, stdlib-2.5 # Thanks to Dan Janowski, Ilya Averyanov, Yaroslav Maslennikov From otp@REDACTED Mon Jun 16 11:32:09 2025 From: otp@REDACTED (Erlang/OTP) Date: Mon, 16 Jun 2025 11:32:09 +0200 (CEST) Subject: Patch Package OTP 28.0.1 Released Message-ID: <20250616093209.7F4F825465F@hel.cslab.ericsson.net> Patch Package: OTP 28.0.1 Git Tag: OTP-28.0.1 Date: 2025-06-16 Trouble Report Id: OTP-19634, OTP-19635, OTP-19637, OTP-19638, OTP-19641, OTP-19644, OTP-19645, OTP-19650, OTP-19653, OTP-19658, OTP-19662, OTP-19665, OTP-19675, OTP-19676 Seq num: CVE-2025-4748, ERIERL-1225, ERIERL-1235, GH-6463, GH-9102, GH-9841, GH-9858, GH-9863, GH-9872, PR-9103, PR-9691, PR-9838, PR-9846, PR-9849, PR-9859, PR-9861, PR-9870, PR-9878, PR-9880, PR-9892, PR-9905, PR-9926, PR-9941 System: OTP Release: 28 Application: asn1-5.4.1, debugger-6.0.1, eldap-1.2.16, erts-16.0.1, kernel-10.3.1, public_key-1.18.1, ssh-5.3.1, ssl-11.3.1, stdlib-7.0.1, xmerl-2.1.5 Predecessor: OTP 28.0 Check out the git tag OTP-28.0.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below. # asn1-5.4.1 The asn1-5.4.1 application can be applied independently of other applications on a full OTP 28 installation. ## Fixed Bugs and Malfunctions - The ASN.1 compiler could generate code that would cause Dialyzer with the `unmatched_returns` option to emit warnings. Own Id: OTP-19638 Related Id(s): GH-9841, PR-9846 > #### Full runtime dependencies of asn1-5.4.1 > > erts-14.0, kernel-9.0, stdlib-5.0 # debugger-6.0.1 The debugger-6.0.1 application can be applied independently of other applications on a full OTP 28 installation. ## Fixed Bugs and Malfunctions - Restore deleted icon so that debugger does not crash on startup. Own Id: OTP-19641 Related Id(s): GH-9858, PR-9861 > #### Full runtime dependencies of debugger-6.0.1 > > compiler-8.0, erts-15.0, kernel-10.0, stdlib-7.0, wx-2.0 # eldap-1.2.16 The eldap-1.2.16 application can be applied independently of other applications on a full OTP 28 installation. ## Fixed Bugs and Malfunctions - With this change eldap's 'not' function will have specs fixed. Own Id: OTP-19658 Related Id(s): PR-9859 > #### Full runtime dependencies of eldap-1.2.16 > > asn1-3.0, erts-6.0, kernel-3.0, ssl-5.3.4, stdlib-3.4 # erts-16.0.1 The erts-16.0.1 application can be applied independently of other applications on a full OTP 28 installation. ## Fixed Bugs and Malfunctions - Fix Erlang to not crash when io:standard_error/0 is a terminal but io:standard_io/0 is not. This bug has existed since Erlang/OTP 28.0 and only effects Windows. Own Id: OTP-19650 Related Id(s): GH-9872, PR-9878 - In a debug build, the BIFs for the native debugger could cause a lock order violation diagnostic from the lock checker. Own Id: OTP-19665 Related Id(s): PR-9926 - When building ERTS make sure correct `pcre2.h` file is included even if CFLAGS contains extra include paths. Own Id: OTP-19675 Related Id(s): PR-9892 > #### Full runtime dependencies of erts-16.0.1 > > kernel-9.0, sasl-3.3, stdlib-4.1 # kernel-10.3.1 The kernel-10.3.1 application can be applied independently of other applications on a full OTP 28 installation. ## Fixed Bugs and Malfunctions - Fix bug where calling io:setopts/1 in a shell without the `line_history` option would always disable `line_history`. This bug was introduced in Erlang/OTP 28.0. Own Id: OTP-19645 Related Id(s): GH-9863, PR-9870 > #### Full runtime dependencies of kernel-10.3.1 > > crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0 # public_key-1.18.1 The public_key-1.18.1 application can be applied independently of other applications on a full OTP 28 installation. ## Fixed Bugs and Malfunctions - Add back some ASN-1 macros and definitions that should be included in API. Own Id: OTP-19644 Related Id(s): PR-9880 > #### Full runtime dependencies of public_key-1.18.1 > > asn1-5.0, crypto-5.0, erts-13.0, kernel-8.0, stdlib-4.0 # ssh-5.3.1 The ssh-5.3.1 application can be applied independently of other applications on a full OTP 28 installation. ## Fixed Bugs and Malfunctions - Various channel closing robustness improvements. Avoid crashes when channel handling process closes channel and immediately exits. Avoid breaking the protocol by sending duplicated channel-close messages. Cleanup channels which timeout during closing procedure. Own Id: OTP-19634 Related Id(s): GH-9102, PR-9103 - Improved interoperability with clients acting as Paramiko. Own Id: OTP-19637 Related Id(s): GH-6463, PR-9838 > #### Full runtime dependencies of ssh-5.3.1 > > crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, > stdlib-5.0, stdlib-6.0 # ssl-11.3.1 The ssl-11.3.1 application can be applied independently of other applications on a full OTP 28 installation. ## Fixed Bugs and Malfunctions - hs_keylog callback properly handle alert in initial states, where encryption is not yet used. Also add keylog callback invocation for corner-case where server alert is encrypted with application secrets as client is already in connection state. Own Id: OTP-19635 Related Id(s): ERIERL-1235, PR-9849 ## Improvements and New Features - The documentation for SSL option `verify_fun` has been improved. Own Id: OTP-19676 Related Id(s): PR-9691 > #### Full runtime dependencies of ssl-11.3.1 > > crypto-5.6, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.16.4, > runtime_tools-1.15.1, stdlib-7.0 # stdlib-7.0.1 The stdlib-7.0.1 application can be applied independently of other applications on a full OTP 28 installation. ## Fixed Bugs and Malfunctions - Properly strip the leading `/` and drive letter from filepaths when zipping and unzipping archives. Thanks to Wander Nauta for finding and responsibly disclosing this vulnerability to the Erlang/OTP project. Own Id: OTP-19653 Related Id(s): PR-9941, CVE-2025-4748 > #### Full runtime dependencies of stdlib-7.0.1 > > compiler-5.0, crypto-4.5, erts-16.0, kernel-10.0, sasl-3.0, syntax_tools-3.2.1 # xmerl-2.1.5 The xmerl-2.1.5 application can be applied independently of other applications on a full OTP 28 installation. ## Fixed Bugs and Malfunctions - The type specs of xmerl_scan:file/2 and xmerl_scan:string/2 has been updated to return `dynamic/0`. Due to hook functions they can return any user defined term. Own Id: OTP-19662 Related Id(s): ERIERL-1225, PR-9905 > #### Full runtime dependencies of xmerl-2.1.5 > > erts-6.0, kernel-8.4, stdlib-2.5 # Thanks to Dan Janowski, Ilya Averyanov, Mikael Pettersson, Yaroslav Maslennikov From otp@REDACTED Mon Jun 16 12:25:49 2025 From: otp@REDACTED (Erlang/OTP) Date: Mon, 16 Jun 2025 12:25:49 +0200 (CEST) Subject: Patch Package OTP 26.2.5.13 Released Message-ID: <20250616102549.32A5F254653@hel.cslab.ericsson.net> Patch Package: OTP 26.2.5.13 Git Tag: OTP-26.2.5.13 Date: 2025-06-16 Trouble Report Id: OTP-19634, OTP-19637, OTP-19638, OTP-19649, OTP-19653, OTP-19667 Seq num: CVE-2025-4748, GH-6463, GH-9102, GH-9771, GH-9841, PR-9103, PR-9838, PR-9846, PR-9898, PR-9912, PR-9941 System: OTP Release: 26 Application: asn1-5.2.2.1, kernel-9.2.4.9, ssh-5.1.4.10, stdlib-5.2.3.4 Predecessor: OTP 26.2.5.12 Check out the git tag OTP-26.2.5.13, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below. --------------------------------------------------------------------- --- asn1-5.2.2.1 ---------------------------------------------------- --------------------------------------------------------------------- The asn1-5.2.2.1 application can be applied independently of other applications on a full OTP 26 installation. --- Fixed Bugs and Malfunctions --- OTP-19638 Application(s): asn1 Related Id(s): GH-9841, PR-9846 The ASN.1 compiler could generate code that would cause Dialyzer with the unmatched_returns option to emit warnings. Full runtime dependencies of asn1-5.2.2.1: erts-11.0, kernel-7.0, stdlib-3.13 --------------------------------------------------------------------- --- kernel-9.2.4.9 -------------------------------------------------- --------------------------------------------------------------------- The kernel-9.2.4.9 application can be applied independently of other applications on a full OTP 26 installation. --- Fixed Bugs and Malfunctions --- OTP-19667 Application(s): kernel, stdlib Related Id(s): PR-9912 A remote shell can now exit by closing the input stream, without terminating the remote node. Full runtime dependencies of kernel-9.2.4.9: crypto-5.0, erts-14.0, sasl-3.0, stdlib-5.0 --------------------------------------------------------------------- --- ssh-5.1.4.10 ---------------------------------------------------- --------------------------------------------------------------------- The ssh-5.1.4.10 application can be applied independently of other applications on a full OTP 26 installation. --- Fixed Bugs and Malfunctions --- OTP-19634 Application(s): ssh Related Id(s): GH-9102, PR-9103 Various channel closing robustness improvements. Avoid crashes when channel handling process closes channel and immediately exits. Avoid breaking the protocol by sending duplicated channel-close messages. Cleanup channels which timeout during closing procedure. OTP-19637 Application(s): ssh Related Id(s): GH-6463, PR-9838 Improved interoperability with clients acting as Paramiko. Full runtime dependencies of ssh-5.1.4.10: crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-5.0 --------------------------------------------------------------------- --- stdlib-5.2.3.4 -------------------------------------------------- --------------------------------------------------------------------- The stdlib-5.2.3.4 application can be applied independently of other applications on a full OTP 26 installation. --- Fixed Bugs and Malfunctions --- OTP-19649 Application(s): stdlib Related Id(s): GH-9771, PR-9898 It's now possible to write lists:map(fun is_atom/1, []) or lists:map(fun my_func/1, []), in the shell, instead of lists:map(fun erlang:is_atom/1, []) or lists:map(fun shell_default:my_func/1, []). OTP-19653 Application(s): stdlib Related Id(s): PR-9941, CVE-2025-4748 Properly strip the leading / and drive letter from filepaths when zipping and unzipping archives. Thanks to Wander Nauta for finding and responsibly disclosing this vulnerability to the Erlang/OTP project. OTP-19667 Application(s): kernel, stdlib Related Id(s): PR-9912 A remote shell can now exit by closing the input stream, without terminating the remote node. Full runtime dependencies of stdlib-5.2.3.4: compiler-5.0, crypto-4.5, erts-13.1, kernel-9.0, sasl-3.0 --------------------------------------------------------------------- --- Thanks to ------------------------------------------------------- --------------------------------------------------------------------- Yaroslav Maslennikov --------------------------------------------------------------------- --------------------------------------------------------------------- ---------------------------------------------------------------------