1 files changed, 240 insertions, 0 deletions
diff --git a/release-notes/OTP-25.3.2.16.README.txt b/release-notes/OTP-25.3.2.16.README.txt
new file mode 100644
index 0000000..8851d88
--- /dev/null
+++ b/release-notes/OTP-25.3.2.16.README.txt
@@ -0,0 +1,240 @@
+Patch Package:           OTP 25.3.2.16
+Git Tag:                 OTP-25.3.2.16
+Date:                    2024-12-05
+Trouble Report Id:       OTP-19240, OTP-19311, OTP-19326, OTP-19330,
+                         OTP-19350, OTP-19352, OTP-19365, OTP-19379,
+                         OTP-19380
+Seq num:                 CVE-2024-53846, ERIERL-1157, GH-8755,
+                         GH-8829, GH-8929, GH-8983, GH-9009,
+                         OTP-19240, OTP-19532, PR-8840, PR-8878,
+                         PR-8980, PR-8995, PR-9008, PR-9053, PR-9080,
+                         PR-9130
+System:                  OTP
+Release:                 25
+Application:             common_test-1.24.0.5, erts-13.2.2.12,
+                         inets-8.3.1.5, public_key-1.13.3.5,
+                         ssh-4.15.3.8, ssl-10.9.1.7, stdlib-4.3.1.6
+Predecessor:             OTP 25.3.2.15
+
+ Check out the git tag OTP-25.3.2.16, and build a full OTP system
+ including documentation. Apply one or more applications from this
+ build as patches to your installation using the 'otp_patch_apply'
+ tool. For information on install requirements, see descriptions for
+ each application version below.
+
+ ---------------------------------------------------------------------
+ --- common_test-1.24.0.5 --------------------------------------------
+ ---------------------------------------------------------------------
+
+ The common_test-1.24.0.5 application can be applied independently of
+ other applications on a full OTP 25 installation.
+
+ --- Fixed Bugs and Malfunctions ---
+
+  OTP-19365    Application(s): common_test
+               Related Id(s): ERIERL-1157, PR-9080
+
+               With this change, cth_surefire hook module handles
+               group path reduction for a skipped group. This fixes a
+               bug manifesting with improper group path for a group
+               executed after a group which was skipped.
+
+
+ Full runtime dependencies of common_test-1.24.0.5: compiler-6.0,
+ crypto-4.5, debugger-4.1, erts-7.0, ftp-1.0, inets-6.0, kernel-8.4,
+ observer-2.1, runtime_tools-1.8.16, sasl-2.5, snmp-5.1.2, ssh-4.0,
+ stdlib-4.0, syntax_tools-1.7, tools-3.2, xmerl-1.3.8
+
+
+ ---------------------------------------------------------------------
+ --- erts-13.2.2.12 --------------------------------------------------
+ ---------------------------------------------------------------------
+
+ Note! The erts-13.2.2.12 application *cannot* be applied
+       independently of other applications on an arbitrary OTP 25
+       installation.
+
+       On a full OTP 25 installation, also the following runtime
+       dependencies have to be satisfied:
+       -- kernel-8.5 (first satisfied in OTP 25.1)
+       -- stdlib-4.1 (first satisfied in OTP 25.1)
+
+
+ --- Fixed Bugs and Malfunctions ---
+
+  OTP-19330    Application(s): erts
+               Related Id(s): GH-8983, PR-9008
+
+               Fix lock order violation if a NIF monitor down callback
+               calls enif_whereis_pid. Would cause debug emulator to
+               crash but could potentially lead to deadlocks in
+               optimized emulator.
+
+
+ Full runtime dependencies of erts-13.2.2.12: kernel-8.5, sasl-3.3,
+ stdlib-4.1
+
+
+ ---------------------------------------------------------------------
+ --- inets-8.3.1.5 ---------------------------------------------------
+ ---------------------------------------------------------------------
+
+ The inets-8.3.1.5 application can be applied independently of other
+ applications on a full OTP 25 installation.
+
+ --- Fixed Bugs and Malfunctions ---
+
+  OTP-19379    Application(s): inets
+               Related Id(s): GH-8829, PR-8878
+
+               Fixed a bug where calling httpc:set_options/2 when one
+               of keys: ipfamily or unix_socket, was not present,
+               would cause the other value to get overriden by the
+               default value. The validation of these options was also
+               improved.
+
+
+ Full runtime dependencies of inets-8.3.1.5: erts-13.0, kernel-6.0,
+ mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0,
+ stdlib-4.0
+
+
+ ---------------------------------------------------------------------
+ --- public_key-1.13.3.5 ---------------------------------------------
+ ---------------------------------------------------------------------
+
+ The public_key-1.13.3.5 application can be applied independently of
+ other applications on a full OTP 25 installation.
+
+ --- Fixed Bugs and Malfunctions ---
+
+  OTP-19240    Application(s): public_key
+               Related Id(s): PR-8840, OTP-19532
+
+               If both ext-key-usage and key-usage are defined for a
+               certificate it should be checked that these usages are
+               consistent with each other. This will have the affect
+               that such certificates where the ext-key-usages is
+               marked as critical and the usages is consistent with
+               the key-use it can be considered valid without
+               mandatory application specific checks for the
+               ext-key-useage extension.
+
+
+  OTP-19350    Application(s): public_key
+               Related Id(s): GH-9009, PR-9053
+
+               Handle decoding of EDDSA key properly, when decoding a
+               PEM file that contains only the public EDDSA key.
+
+
+ Full runtime dependencies of public_key-1.13.3.5: asn1-3.0,
+ crypto-4.6, erts-6.0, kernel-3.0, stdlib-3.5
+
+
+ ---------------------------------------------------------------------
+ --- ssh-4.15.3.8 ----------------------------------------------------
+ ---------------------------------------------------------------------
+
+ The ssh-4.15.3.8 application can be applied independently of other
+ applications on a full OTP 25 installation.
+
+ --- Fixed Bugs and Malfunctions ---
+
+  OTP-19326    Application(s): ssh
+               Related Id(s): GH-8929, PR-8995
+
+               With this change, ssh connection does not crash upon
+               receiving exit-signal message for an already terminated
+               channel.
+
+
+ Full runtime dependencies of ssh-4.15.3.8: crypto-5.0, erts-11.0,
+ kernel-6.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-3.15
+
+
+ ---------------------------------------------------------------------
+ --- ssl-10.9.1.7 ----------------------------------------------------
+ ---------------------------------------------------------------------
+
+ Note! The ssl-10.9.1.7 application *cannot* be applied independently
+       of other applications on an arbitrary OTP 25 installation.
+
+       On a full OTP 25 installation, also the following runtime
+       dependency has to be satisfied:
+       -- stdlib-4.1 (first satisfied in OTP 25.1)
+
+
+ --- Fixed Bugs and Malfunctions ---
+
+  OTP-19311    Application(s): ssl
+               Related Id(s): PR-8980
+
+               Avoid generating an internal alert for case that should
+               have been an orderly shutdown by the supervisor.
+
+
+  OTP-19352    Application(s): ssl
+               Related Id(s): PR-9130, CVE-2024-53846, OTP-19240
+
+               If present, extended key-usage TLS (SSL) role check
+               (pk-clientAuth, pk-serverAuth) should always be
+               performed for peer-cert. An intermediate CA cert may
+               relax the requirement if AnyExtendedKeyUsage purpose is
+               present.
+
+               In OTP-25.3.2.8, OTP-26.2 and OTP-27.0 these
+               requirements became too relaxed. There where two
+               problems, firstly the peer cert extension was only
+               checked if it was marked critical, and secondly the CA
+               cert check did not assert the relaxed
+               AnyExtendedKeyUsage purpose.
+
+               This could result in that certificates might be misused
+               for purposes not intended by the certificate authority.
+
+               Thanks to Bryan Paxton for reporting the issue.
+
+
+ Full runtime dependencies of ssl-10.9.1.7: crypto-5.0, erts-10.0,
+ inets-5.10.7, kernel-8.4, public_key-1.11.3, runtime_tools-1.15.1,
+ stdlib-4.1
+
+
+ ---------------------------------------------------------------------
+ --- stdlib-4.3.1.6 --------------------------------------------------
+ ---------------------------------------------------------------------
+
+ Note! The stdlib-4.3.1.6 application *cannot* be applied
+       independently of other applications on an arbitrary OTP 25
+       installation.
+
+       On a full OTP 25 installation, also the following runtime
+       dependencies have to be satisfied:
+       -- erts-13.1 (first satisfied in OTP 25.1)
+       -- kernel-8.5.1 (first satisfied in OTP 25.1.1)
+
+
+ --- Fixed Bugs and Malfunctions ---
+
+  OTP-19380    Application(s): stdlib
+               Related Id(s): GH-8755
+
+               Fixed an error in uri_string:percent_decode spec
+
+
+ Full runtime dependencies of stdlib-4.3.1.6: compiler-5.0,
+ crypto-4.5, erts-13.1, kernel-8.5.1, sasl-3.0
+
+
+ ---------------------------------------------------------------------
+ --- Thanks to -------------------------------------------------------
+ ---------------------------------------------------------------------
+
+ Marko Mindek, zmstone
+
+
+ ---------------------------------------------------------------------
+ ---------------------------------------------------------------------
+ ---------------------------------------------------------------------
+