OTP-28.0.3

author: Loïc Hoguin <[email protected]> 2025-09-12 15:11:09 +0200
committer: Loïc Hoguin <[email protected]> 2025-09-12 15:11:09 +0200
commit: 43c5aff8a4b969130ffe6b5963b5a0c8ff46620d (patch)
tree: 070824e9ebc4902ee84e355b196ee1f1194b9269
parent: 35198778a442ad1a453a84acaf73801adea8269b (diff)
download: ci.erlang.mk-43c5aff8a4b969130ffe6b5963b5a0c8ff46620d.tar.gz
ci.erlang.mk-43c5aff8a4b969130ffe6b5963b5a0c8ff46620d.tar.bz2
ci.erlang.mk-43c5aff8a4b969130ffe6b5963b5a0c8ff46620d.zip
2 files changed, 167 insertions, 2 deletions
diff --git a/early-plugins.mk b/early-plugins.mk
index 91a0faa..d2c4fb3 100644
--- a/early-plugins.mk
+++ b/early-plugins.mk
@@ -22,7 +22,7 @@ OTP-24 := OTP-24.0.6 OTP-24.1.7 OTP-24.2.2 OTP-24.3.4.17
 OTP-25 := OTP-25.0.4 OTP-25.1.2.1 OTP-25.2.3 OTP-25.3.2.21
 OTP-26 := OTP-26.0.2 OTP-26.1.2 OTP-26.2.5.15
 OTP-27 := OTP-27.0.1 OTP-27.1.3 OTP-27.2.4 OTP-27.3.4.3
-OTP-28 := OTP-28.0.2
+OTP-28 := OTP-28.0.3
 
 OTP-18+ := $(OTP-18) $(OTP-19) $(OTP-20) $(OTP-21) $(OTP-22) $(OTP-23) $(OTP-24) $(OTP-25) $(OTP-26) $(OTP-27) $(OTP-28)
 OTP-19+ := $(OTP-19) $(OTP-20) $(OTP-21) $(OTP-22) $(OTP-23) $(OTP-24) $(OTP-25) $(OTP-26) $(OTP-27) $(OTP-28)
@@ -129,7 +129,7 @@ OTP-26-DROPPED := OTP-26.0-rc3 \
 OTP-27-DROPPED := OTP-27.0-rc1 OTP-27.0-rc2 \
 	OTP-27.1.2 OTP-27.2 OTP-27.2.1 OTP-27.2.2 OTP-27.2.3 OTP-27.3 OTP-27.3.1 OTP-27.3.2 OTP-27.3.3 OTP-27.3.4 OTP-27.3.4.1 OTP-27.3.4.2
 OTP-28-DROPPED := OTP-28.0-rc1 OTP-28.0-rc2 OTP-28.0-rc3 OTP-28.0-rc4 \
-	OTP-28.0 OTP-28.0.1
+	OTP-28.0 OTP-28.0.1 OTP-28.0.2
 
 OTP-DROPPED := $(OTP-18-DROPPED) $(OTP-19-DROPPED) $(OTP-20-DROPPED) \
 	$(OTP-21-DROPPED) $(OTP-22-DROPPED) $(OTP-23-DROPPED) $(OTP-24-DROPPED) \
diff --git a/release-notes/OTP-28.0.3.README.txt b/release-notes/OTP-28.0.3.README.txt
new file mode 100644
index 0000000..29ec39b
--- /dev/null
+++ b/release-notes/OTP-28.0.3.README.txt
@@ -0,0 +1,165 @@
+Patch Package:           OTP 28.0.3
+Git Tag:                 OTP-28.0.3
+Date:                    2025-09-10
+Trouble Report Id:       OTP-19701, OTP-19741, OTP-19742, OTP-19748,
+                         OTP-19753, OTP-19755, OTP-19761
+Seq num:                 CVE-2025-48038, CVE-2025-48039,
+                         CVE-2025-48040, CVE-2025-48041,
+                         CVE-2025-58050, PR-10155, PR-10156, PR-10157,
+                         PR-10162, PR-19755, PR-9815
+System:                  OTP
+Release:                 28
+Application:             diameter-2.5.1, erts-16.0.3, ssh-5.3.3,
+                         stdlib-7.0.3
+Predecessor:             OTP 28.0.2
+
+Check out the git tag OTP-28.0.3, and build a full OTP system including
+documentation. Apply one or more applications from this build as patches to your
+installation using the 'otp_patch_apply' tool. For information on install
+requirements, see descriptions for each application version below.
+
+# POTENTIAL INCOMPATIBILITIES
+
+- Option max_handles can be configured for sshd running SFTP. The positive
+  integer value limits amount of file handles opened for a connection (by
+  default 4096 is used).
+
+  Own Id: OTP-19701
+  Application(s): ssh
+  Related Id(s): PR-10157, CVE-2025-48041
+
+- Avoid decoding KEX messages providing too many algorithms. This change does
+  not introduce new limitation but assures it is enforced earlier in processing
+  chain. Adjustments in error logging during handshake.
+
+  Own Id: OTP-19741
+  Application(s): ssh
+  Related Id(s): PR-10162, CVE-2025-48040
+
+- A new 'max_path' option is now available in the sshd configuration, allowing
+  administrators to set the maximum allowable path length. By default, this
+  value is set to 4096 characters.
+
+  Own Id: OTP-19742
+  Application(s): ssh
+  Related Id(s): PR-10155, CVE-2025-48039
+
+- Reject file handles exceeding size specified in RFCs (256 bytes).
+
+  Own Id: OTP-19748
+  Application(s): ssh
+  Related Id(s): PR-10156, CVE-2025-48038
+
+# diameter-2.5.1
+
+The diameter-2.5.1 application can be applied independently of other
+applications on a full OTP 28 installation.
+
+## Fixed Bugs and Malfunctions
+
+- With this change message_cb callback will be called with updated state for
+  processing 'ack' after 'send'.
+
+  Own Id: OTP-19753
+  Related Id(s): PR-9815
+
+> #### Full runtime dependencies of diameter-2.5.1
+>
+> erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0
+
+# erts-16.0.3
+
+The erts-16.0.3 application can be applied independently of other applications
+on a full OTP 28 installation.
+
+## Fixed Bugs and Malfunctions
+
+- Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on
+  regular expressions with `(*scs:)` and `(*ACCEPT)` syntax combined.
+
+  Own Id: OTP-19755
+  Related Id(s): CVE-2025-58050
+
+- Fixed bug that could cause crash in beam started with
+  `erl -emu_type debug +JPperf true` with any type of tracing return from
+  function.
+
+  Own Id: OTP-19761
+  Related Id(s): PR-19755
+
+> #### Full runtime dependencies of erts-16.0.3
+>
+> kernel-9.0, sasl-3.3, stdlib-4.1
+
+# ssh-5.3.3
+
+The ssh-5.3.3 application can be applied independently of other applications on
+a full OTP 28 installation.
+
+## Fixed Bugs and Malfunctions
+
+- Option max_handles can be configured for sshd running SFTP. The positive
+  integer value limits amount of file handles opened for a connection (by
+  default 4096 is used).
+
+  Own Id: OTP-19701
+  Related Id(s): PR-10157, CVE-2025-48041
+
+  *** POTENTIAL INCOMPATIBILITY ***
+
+- Avoid decoding KEX messages providing too many algorithms. This change does
+  not introduce new limitation but assures it is enforced earlier in processing
+  chain. Adjustments in error logging during handshake.
+
+  Own Id: OTP-19741
+  Related Id(s): PR-10162, CVE-2025-48040
+
+  *** POTENTIAL INCOMPATIBILITY ***
+
+- A new 'max_path' option is now available in the sshd configuration, allowing
+  administrators to set the maximum allowable path length. By default, this
+  value is set to 4096 characters.
+
+  Own Id: OTP-19742
+  Related Id(s): PR-10155, CVE-2025-48039
+
+  *** POTENTIAL INCOMPATIBILITY ***
+
+- Reject file handles exceeding size specified in RFCs (256 bytes).
+
+  Own Id: OTP-19748
+  Related Id(s): PR-10156, CVE-2025-48038
+
+  *** POTENTIAL INCOMPATIBILITY ***
+
+> #### Full runtime dependencies of ssh-5.3.3
+>
+> crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1,
+> stdlib-5.0, stdlib-6.0
+
+# stdlib-7.0.3
+
+Note! The stdlib-7.0.3 application _cannot_ be applied independently of other
+applications on an arbitrary OTP 28 installation.
+
+       On a full OTP 28 installation, also the following runtime
+       dependency has to be satisfied:
+       -- erts-16.0.3 (first satisfied in OTP 28.0.3)
+
+## Fixed Bugs and Malfunctions
+
+- Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on
+  regular expressions with `(*scs:)` and `(*ACCEPT)` syntax combined.
+
+  Own Id: OTP-19755
+  Related Id(s): CVE-2025-58050
+
+> #### Full runtime dependencies of stdlib-7.0.3
+>
+> compiler-5.0, crypto-4.5, erts-16.0.3, kernel-10.0, sasl-3.0,
+> syntax_tools-3.2.1
+
+# Thanks to
+
+Alberto Sartori
+
author	Loïc Hoguin <[email protected]>	2025-09-12 15:11:09 +0200
committer	Loïc Hoguin <[email protected]>	2025-09-12 15:11:09 +0200
commit	43c5aff8a4b969130ffe6b5963b5a0c8ff46620d (patch)
tree	070824e9ebc4902ee84e355b196ee1f1194b9269
parent	35198778a442ad1a453a84acaf73801adea8269b (diff)
download	ci.erlang.mk-43c5aff8a4b969130ffe6b5963b5a0c8ff46620d.tar.gz ci.erlang.mk-43c5aff8a4b969130ffe6b5963b5a0c8ff46620d.tar.bz2 ci.erlang.mk-43c5aff8a4b969130ffe6b5963b5a0c8ff46620d.zip