Patch Package OTP 28.5.0.1 Released
Erlang/OTP
otp@REDACTED
Wed May 27 11:07:53 CEST 2026
Patch Package: OTP 28.5.0.1
Git Tag: OTP-28.5.0.1
Date: 2026-05-27
Trouble Report Id: OTP-20112, OTP-20116, OTP-20119, OTP-20123,
OTP-20126, OTP-20128, OTP-20129, OTP-20130,
OTP-20131, OTP-20134, OTP-20138, OTP-20140,
OTP-20141
Seq num: CVE-2026-42789, CVE-2026-42790, ERIERL-1314,
ERIERL-1315, ERIERL-1321, GH-10968, GH-11030,
GH-11088, OTP-20102, PR-11007, PR-11032,
PR-11062, PR-11067, PR-11079, PR-11089,
PR-11100, PR-11123, PR-11124, PR-11125,
PR-11136
System: OTP
Release: 28
Application: compiler-9.0.6.1, erts-16.4.0.1,
inets-9.6.2.1, kernel-10.6.3.1,
public_key-1.20.3.1, snmp-5.20.2.1,
ssl-11.6.0.1, wx-2.5.4.1
Predecessor: OTP 28.5
Check out the git tag OTP-28.5.0.1, and build a full OTP system including
documentation. Apply one or more applications from this build as patches to your
installation using the 'otp_patch_apply' tool. For information on install
requirements, see descriptions for each application version below.
# POTENTIAL INCOMPATIBILITIES
- 'public_key', Adhere to RFC 9525, and remove support for legacy fallback to
check hostname against subject common name. Also improve error handling
creating two separate errors for name constraint check for subject names and
subject alternative names.
'ssl'. Error handling is slightly changed to better reflect public_key
behaviour.
Own Id: OTP-20130
Application(s): public_key, ssl
Related Id(s): PR-11124, CVE-2026-42790
# compiler-9.0.6.1
The compiler-9.0.6.1 application can be applied independently of other
applications on a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- In rare circumstances, optimization of boolean expressions could invert the
boolean value.
Own Id: OTP-20140
Related Id(s): GH-11088, PR-11089
> #### Full runtime dependencies of compiler-9.0.6.1
>
> crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0
# erts-16.4.0.1
The erts-16.4.0.1 application can be applied independently of other applications
on a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- Fixed `erlang:md5_init` to always return the same deterministic context
binary. Only an issue in OTP 28.5 when OTP was built with
`--disable-builtin-openssl` or `--enable-use-embedded-3pp-alternatives`.
Own Id: OTP-20123
- Added explicit configure test for C++ function `std::to_chars` if options
`--disable-builtin-ryu` or `--enable-use-embedded-3pp-alternatives` is used.
Own Id: OTP-20126
Related Id(s): PR-11067
> #### Full runtime dependencies of erts-16.4.0.1
>
> kernel-9.0, sasl-3.3, stdlib-4.1
# inets-9.6.2.1
The inets-9.6.2.1 application can be applied independently of other applications
on a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- A call to httpd:reload_config/2 now validates the new configuration before
removing the old one, leaving the server running in case of faulty config,
instead of putting it in an unrecoverable state.
Own Id: OTP-20128
Related Id(s): ERIERL-1314, PR-11079
> #### Full runtime dependencies of inets-9.6.2.1
>
> erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14,
> ssl-9.0, stdlib-5.0, stdlib-6.0
# kernel-10.6.3.1
The kernel-10.6.3.1 application can be applied independently of other
applications on a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- Incorrect TOS format when using gen_udp with socket backend
Own Id: OTP-20131
Related Id(s): GH-10968, OTP-20102
- SCTP peeloff of an IPv6 socket, the peeled-off socket does not inherit the
parent options as expected.
Own Id: OTP-20134
Related Id(s): PR-11007
> #### Full runtime dependencies of kernel-10.6.3.1
>
> crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0
# public_key-1.20.3.1
Note! The public_key-1.20.3.1 application _cannot_ be applied independently of
other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependency has to be satisfied:
-- crypto-5.8 (first satisfied in OTP 28.3)
## Fixed Bugs and Malfunctions
- OCSP responder certificates are now checked for expiration before being
accepted as authorized responders. Previously, expired or not-yet-valid
responder certificates were incorrectly accepted when verifying OCSP
responses.
Own Id: OTP-20112
Related Id(s): PR-11136
- Corrected basic constraint path validation check in accordance to RFC 5280.
Own Id: OTP-20129
Related Id(s): PR-11123, CVE-2026-42789
- 'public_key', Adhere to RFC 9525, and remove support for legacy fallback to
check hostname against subject common name. Also improve error handling
creating two separate errors for name constraint check for subject names and
subject alternative names.
'ssl'. Error handling is slightly changed to better reflect public_key
behaviour.
Own Id: OTP-20130
Related Id(s): PR-11124, CVE-2026-42790
*** POTENTIAL INCOMPATIBILITY ***
> #### Full runtime dependencies of public_key-1.20.3.1
>
> asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0
# snmp-5.20.2.1
The snmp-5.20.2.1 application can be applied independently of other applications
on a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- Fixed a bug in snmpm_usm:generate_outgoing_msg/5 that caused a badmatch crash
when constructing an error response for an unknown user/engineID combination.
Own Id: OTP-20138
Related Id(s): ERIERL-1321, PR-11100
> #### Full runtime dependencies of snmp-5.20.2.1
>
> asn1-5.4, crypto-4.6, erts-12.0, kernel-8.0, mnesia-4.12,
> runtime_tools-1.8.14, stdlib-5.0
# ssl-11.6.0.1
Note! The ssl-11.6.0.1 application _cannot_ be applied independently of other
applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependencies have to be satisfied:
-- crypto-5.8 (first satisfied in OTP 28.3)
-- public_key-1.20.3.1 (first satisfied in OTP 28.5.0.1)
## Fixed Bugs and Malfunctions
- Add missing clauses to ssl_handshake:extension_value/1. If an hello extension,
missing a handling clause was present in a paused handshake, the handshake
would fail.
Own Id: OTP-20116
Related Id(s): GH-11030, PR-11062
- 'public_key', Adhere to RFC 9525, and remove support for legacy fallback to
check hostname against subject common name. Also improve error handling
creating two separate errors for name constraint check for subject names and
subject alternative names.
'ssl'. Error handling is slightly changed to better reflect public_key
behaviour.
Own Id: OTP-20130
Related Id(s): PR-11124, CVE-2026-42790
*** POTENTIAL INCOMPATIBILITY ***
- Could cause server to terminate a connection without an alert towards a bad
client.
Own Id: OTP-20141
Related Id(s): PR-11125
> #### Full runtime dependencies of ssl-11.6.0.1
>
> crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3.1,
> runtime_tools-1.15.1, stdlib-7.0
# wx-2.5.4.1
The wx-2.5.4.1 application can be applied independently of other applications on
a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- The examples for `wx` are now only installed in one place (in `doc/examples`).
Own Id: OTP-20119
Related Id(s): ERIERL-1315, PR-11032
> #### Full runtime dependencies of wx-2.5.4.1
>
> erts-12.0, kernel-8.0, stdlib-5.0
# Thanks to
Martin Hässler, Paul Guyot
More information about the erlang-announce
mailing list