Patch Package: OTP 27.3.3 Git Tag: OTP-27.3.3 Date: 2025-04-16 Trouble Report Id: OTP-19581, OTP-19582, OTP-19585, OTP-19592, OTP-19595 Seq num: CVE-2025-32433, ERIERL-1219, ERIERL-1222, PR-9566, PR-9679, PR-9706 System: OTP Release: 27 Application: erts-15.2.6, kernel-10.2.6, megaco-4.7.2, ssh-5.2.10, ssl-11.2.12 Predecessor: OTP 27.3.2 Check out the git tag OTP-27.3.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below. # erts-15.2.6 The erts-15.2.6 application can be applied independently of other applications on a full OTP 27 installation. ## Fixed Bugs and Malfunctions - Fixed bug in `call_memory` tracing that could cause wildly incorrect reported memory values. Bug exists since OTP 27.1. Also fixed return type spec of trace:info/3. Own Id: OTP-19581 Related Id(s): ERIERL-1219, PR-9706 > #### Full runtime dependencies of erts-15.2.6 > > kernel-9.0, sasl-3.3, stdlib-4.1 # kernel-10.2.6 Note! The kernel-10.2.6 application _cannot_ be applied independently of other applications on an arbitrary OTP 27 installation. On a full OTP 27 installation, also the following runtime dependency has to be satisfied: -- erts-15.2.5 (first satisfied in OTP 27.3.2) ## Fixed Bugs and Malfunctions - Fixed bug in `call_memory` tracing that could cause wildly incorrect reported memory values. Bug exists since OTP 27.1. Also fixed return type spec of trace:info/3. Own Id: OTP-19581 Related Id(s): ERIERL-1219, PR-9706 > #### Full runtime dependencies of kernel-10.2.6 > > crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0 # megaco-4.7.2 The megaco-4.7.2 application can be applied independently of other applications on a full OTP 27 installation. ## Fixed Bugs and Malfunctions - Corrected type spec for type mid(). Own Id: OTP-19585 Related Id(s): ERIERL-1222 > #### Full runtime dependencies of megaco-4.7.2 > > asn1-3.0, debugger-4.0, erts-12.0, et-1.5, kernel-8.0, runtime_tools-1.8.14, > stdlib-2.5 # ssh-5.2.10 The ssh-5.2.10 application can be applied independently of other applications on a full OTP 27 installation. ## Fixed Bugs and Malfunctions - Reception of wrong Unicode does not cause unnecessary processing. US-ASCII fields are not decoded as Unicode. Own Id: OTP-19582 Related Id(s): PR-9679 - SSH daemon disconnects upon receiving connection protocol message for unauthenticated used. Thanks to Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, Nurullah Erinola, Jörg Schwenk (Ruhr University Bochum). Own Id: OTP-19595 Related Id(s): CVE-2025-32433 > #### Full runtime dependencies of ssh-5.2.10 > > crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, > stdlib-5.0, stdlib-6.0 # ssl-11.2.12 Note! The ssl-11.2.12 application _cannot_ be applied independently of other applications on an arbitrary OTP 27 installation. On a full OTP 27 installation, also the following runtime dependency has to be satisfied: -- public_key-1.16.4 (first satisfied in OTP 27.1.3) ## Improvements and New Features - Lower log level for user cancelation as this is not an error case. Also handle possible undecrypted close alert during TLS-1.3 handshake. Own Id: OTP-19592 Related Id(s): PR-9566 > #### Full runtime dependencies of ssl-11.2.12 > > crypto-5.0, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.16.4, > runtime_tools-1.15.1, stdlib-6.0 # Thanks to Simon Cornish