Patch Package: OTP 24.3.4.15 Git Tag: OTP-24.3.4.15 Date: 2023-12-18 Trouble Report Id: OTP-18802, OTP-18830, OTP-18844, OTP-18850, OTP-18869, OTP-18877, OTP-18885, OTP-18896, OTP-18897, OTP-18899, OTP-18902 Seq num: GH-7571, GH-7834, GH-7890 System: OTP Release: 24 Application: asn1-5.0.18.2, erl_interface-5.2.2.1, erts-12.3.2.15, mnesia-4.20.4.4, ssh-4.13.2.4 Predecessor: OTP 24.3.4.14 Check out the git tag OTP-24.3.4.15, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below. --------------------------------------------------------------------- --- POTENTIAL INCOMPATIBILITIES ------------------------------------- --------------------------------------------------------------------- OTP-18897 Application(s): ssh With this change (being response to CVE-2023-48795), ssh can negotiate "strict KEX" OpenSSH extension with peers supporting it; also 'chacha20-poly1305@openssh.com' algorithm becomes a less preferred cipher. If strict KEX availability cannot be ensured on both connection sides, affected encryption modes(CHACHA and CBC) can be disabled with standard ssh configuration. This will provide protection against vulnerability, but at a cost of affecting interoperability. See Configuring algorithms in SSH. --------------------------------------------------------------------- --- OTP-24.3.4.15 --------------------------------------------------- --------------------------------------------------------------------- --- Improvements and New Features --- OTP-18896 Application(s): otp Updated copyright and license information. --------------------------------------------------------------------- --- asn1-5.0.18.2 --------------------------------------------------- --------------------------------------------------------------------- The asn1-5.0.18.2 application can be applied independently of other applications on a full OTP 24 installation. --- Fixed Bugs and Malfunctions --- OTP-18844 Application(s): asn1 Fix benign warning from gcc 11 about mismatching call to free(). Full runtime dependencies of asn1-5.0.18.2: erts-11.0, kernel-7.0, stdlib-3.13 --------------------------------------------------------------------- --- erl_interface-5.2.2.1 ------------------------------------------- --------------------------------------------------------------------- The erl_interface-5.2.2.1 application can be applied independently of other applications on a full OTP 24 installation. --- Improvements and New Features --- OTP-18877 Application(s): erl_interface, erts Replaced old md5 implementation with an implementation from OpenSSL. --------------------------------------------------------------------- --- erts-12.3.2.15 -------------------------------------------------- --------------------------------------------------------------------- Note! The erts-12.3.2.15 application *cannot* be applied independently of other applications on an arbitrary OTP 24 installation. On a full OTP 24 installation, also the following runtime dependency has to be satisfied: -- kernel-8.3 (first satisfied in OTP 24.3) --- Fixed Bugs and Malfunctions --- OTP-18802 Application(s): erts Fix faulty debug assert when page size is larger than 16kb, like on PowerPC. Did crash debug VM directly at start. OTP-18885 Application(s): erts Related Id(s): GH-7834, GH-7890, PR-7915 On OTP 24 and OTP 25, incoming distributed messages larger than 64 KiB sent using an alias leaked memory if the alias had been removed prior to entering the node. This issue was not present on OTP 26. Incoming distributed messages larger than 64 KiB sent using an alias which had been removed on the receiving node could crash the node. This crash was quite unlikely on OTP 24 and OTP 25, but very likely on OTP 26. 'DOWN' signals with exit reason larger than 64 KiB directed towards a process on a node with a not matching creation leaked memory on the receiving node. Such signals should however be very rare. OTP-18902 Application(s): erts Removed unnecessary PCRE source tar-ball. --- Improvements and New Features --- OTP-18830 Application(s): erts Related Id(s): PR-7823 Removed unnecessary regexp library used when generating yielding BIFs. OTP-18877 Application(s): erl_interface, erts Replaced old md5 implementation with an implementation from OpenSSL. OTP-18899 Application(s): erts Removed unused makewhatis script. Full runtime dependencies of erts-12.3.2.15: kernel-8.3, sasl-3.3, stdlib-3.13 --------------------------------------------------------------------- --- mnesia-4.20.4.4 ------------------------------------------------- --------------------------------------------------------------------- The mnesia-4.20.4.4 application can be applied independently of other applications on a full OTP 24 installation. --- Fixed Bugs and Malfunctions --- OTP-18850 Application(s): mnesia mnesia:add_table_copy/3 no longer fails with reason system_limit when the node is starting. Full runtime dependencies of mnesia-4.20.4.4: erts-9.0, kernel-5.3, stdlib-3.4 --------------------------------------------------------------------- --- ssh-4.13.2.4 ---------------------------------------------------- --------------------------------------------------------------------- The ssh-4.13.2.4 application can be applied independently of other applications on a full OTP 24 installation. --- Fixed Bugs and Malfunctions --- OTP-18869 Application(s): ssh Related Id(s): GH-7571, PR-7849 With this change, connection handler does not execute socket operations until it becomes socket owner. Previously errors could occur if connection handler tried to work with socket whose owner exited. OTP-18897 Application(s): ssh *** POTENTIAL INCOMPATIBILITY *** With this change (being response to CVE-2023-48795), ssh can negotiate "strict KEX" OpenSSH extension with peers supporting it; also 'chacha20-poly1305@openssh.com' algorithm becomes a less preferred cipher. If strict KEX availability cannot be ensured on both connection sides, affected encryption modes(CHACHA and CBC) can be disabled with standard ssh configuration. This will provide protection against vulnerability, but at a cost of affecting interoperability. See Configuring algorithms in SSH. Full runtime dependencies of ssh-4.13.2.4: crypto-5.0, erts-9.0, kernel-5.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-3.15 --------------------------------------------------------------------- --------------------------------------------------------------------- ---------------------------------------------------------------------