1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
|
Patch Package: OTP 25.3.2.8
Git Tag: OTP-25.3.2.8
Date: 2023-12-18
Trouble Report Id: OTP-18739, OTP-18768, OTP-18802, OTP-18830,
OTP-18838, OTP-18839, OTP-18841, OTP-18842,
OTP-18844, OTP-18850, OTP-18869, OTP-18877,
OTP-18885, OTP-18886, OTP-18896, OTP-18897,
OTP-18899, OTP-18902
Seq num: GH-7571, GH-7801, GH-7834, GH-7890
System: OTP
Release: 25
Application: asn1-5.0.21.1, erl_interface-5.3.2.1,
erts-13.2.2.5, mnesia-4.21.4.2,
public_key-1.13.3.2, ssh-4.15.3.1,
ssl-10.9.1.3, wx-2.2.2.1
Predecessor: OTP 25.3.2.7
Check out the git tag OTP-25.3.2.8, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- POTENTIAL INCOMPATIBILITIES -------------------------------------
---------------------------------------------------------------------
OTP-18897 Application(s): ssh
With this change (being response to CVE-2023-48795),
ssh can negotiate "strict KEX" OpenSSH extension with
peers supporting it; also
'[email protected]' algorithm becomes a
less preferred cipher.
If strict KEX availability cannot be ensured on both
connection sides, affected encryption modes(CHACHA and
CBC) can be disabled with standard ssh configuration.
This will provide protection against vulnerability, but
at a cost of affecting interoperability. See
Configuring algorithms in SSH.
---------------------------------------------------------------------
--- OTP-25.3.2.8 ----------------------------------------------------
---------------------------------------------------------------------
--- Improvements and New Features ---
OTP-18896 Application(s): otp
Updated copyright and license information.
---------------------------------------------------------------------
--- asn1-5.0.21.1 ---------------------------------------------------
---------------------------------------------------------------------
The asn1-5.0.21.1 application can be applied independently of other
applications on a full OTP 25 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18844 Application(s): asn1
Fix benign warning from gcc 11 about mismatching call
to free().
Full runtime dependencies of asn1-5.0.21.1: erts-11.0, kernel-7.0,
stdlib-3.13
---------------------------------------------------------------------
--- erl_interface-5.3.2.1 -------------------------------------------
---------------------------------------------------------------------
The erl_interface-5.3.2.1 application can be applied independently of
other applications on a full OTP 25 installation.
--- Improvements and New Features ---
OTP-18877 Application(s): erl_interface, erts
Replaced old md5 implementation with an implementation
from OpenSSL.
---------------------------------------------------------------------
--- erts-13.2.2.5 ---------------------------------------------------
---------------------------------------------------------------------
Note! The erts-13.2.2.5 application *cannot* be applied independently
of other applications on an arbitrary OTP 25 installation.
On a full OTP 25 installation, also the following runtime
dependencies have to be satisfied:
-- kernel-8.5 (first satisfied in OTP 25.1)
-- stdlib-4.1 (first satisfied in OTP 25.1)
--- Fixed Bugs and Malfunctions ---
OTP-18802 Application(s): erts
Fix faulty debug assert when page size is larger than
16kb, like on PowerPC. Did crash debug VM directly at
start.
OTP-18838 Application(s): erts
Related Id(s): GH-7801, PR-7822
A process with message_queue_data configured as
off_heap could end up in an inconsistent state when
being receive traced, inspected using process_info/2
with the message_queue_len item, or inspected using the
break menu (CTRL-C). When it ended up in this
inconsistent state, it was not enqueued into a run
queue even though it was set in a runnable state.This
also effected signals being sent to the process after
it had gotten into this inconsistent state, in such a
way that it was from this point not possible to
communicate with it.
OTP-18839 Application(s): erts
Related Id(s): GH-7801, PR-7822
A race occurring when a process was selected for dirty
execution simultaneously as it was scheduled for
handling a signal could cause the process to end up in
an inconsistent state. When it ended up in this
inconsistent state, it was not enqueued into a run
queue even though it was set in a runnable state. This
also effected signals being sent to the process after
it had gotten into this inconsistent state, in such a
way that it was from this point not possible to
communicate with it.
OTP-18841 Application(s): erts
Related Id(s): GH-7801, OTP-18737, PR-7822
When a process had to to wait in the run queue for a
long time before being selected for dirty execution, it
could not receive signals. This caused inspection of
such a process, for example using process_info/2, to
take a long time.
This issue was introduced in OTP 25.3.2.6 and 26.1 when
fixing an issue where a constant flow of signals
prevented a process from being able to execute dirty.
OTP-18842 Application(s): erts
Fixed a bug in the JIT that miscompiled large
select_val instructions.
OTP-18885 Application(s): erts
Related Id(s): GH-7834, GH-7890, PR-7915
On OTP 24 and OTP 25, incoming distributed messages
larger than 64 KiB sent using an alias leaked memory if
the alias had been removed prior to entering the node.
This issue was not present on OTP 26.
Incoming distributed messages larger than 64 KiB sent
using an alias which had been removed on the receiving
node could crash the node. This crash was quite
unlikely on OTP 24 and OTP 25, but very likely on OTP
26.
'DOWN' signals with exit reason larger than 64 KiB
directed towards a process on a node with a not
matching creation leaked memory on the receiving node.
Such signals should however be very rare.
OTP-18902 Application(s): erts
Removed unnecessary PCRE source tar-ball.
--- Improvements and New Features ---
OTP-18830 Application(s): erts
Related Id(s): PR-7823
Removed unnecessary regexp library used when generating
yielding BIFs.
OTP-18877 Application(s): erl_interface, erts
Replaced old md5 implementation with an implementation
from OpenSSL.
OTP-18899 Application(s): erts
Removed unused makewhatis script.
Full runtime dependencies of erts-13.2.2.5: kernel-8.5, sasl-3.3,
stdlib-4.1
---------------------------------------------------------------------
--- mnesia-4.21.4.2 -------------------------------------------------
---------------------------------------------------------------------
The mnesia-4.21.4.2 application can be applied independently of other
applications on a full OTP 25 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18850 Application(s): mnesia
mnesia:add_table_copy/3 no longer fails with reason
system_limit when the node is starting.
Full runtime dependencies of mnesia-4.21.4.2: erts-9.0, kernel-5.3,
stdlib-3.4
---------------------------------------------------------------------
--- public_key-1.13.3.2 ---------------------------------------------
---------------------------------------------------------------------
The public_key-1.13.3.2 application can be applied independently of
other applications on a full OTP 25 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18739 Application(s): public_key, ssl
ssl application will validate id-kp-serverAuth and
id-kp-clientAuth extended key usage only in end entity
certificates. public_key application will disallow
"anyExtendedKeyUsage" for CA certificates that includes
the extended key usage extension and marks it critical.
Full runtime dependencies of public_key-1.13.3.2: asn1-3.0,
crypto-4.6, erts-6.0, kernel-3.0, stdlib-3.5
---------------------------------------------------------------------
--- ssh-4.15.3.1 ----------------------------------------------------
---------------------------------------------------------------------
The ssh-4.15.3.1 application can be applied independently of other
applications on a full OTP 25 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18869 Application(s): ssh
Related Id(s): GH-7571, PR-7849
With this change, connection handler does not execute
socket operations until it becomes socket owner.
Previously errors could occur if connection handler
tried to work with socket whose owner exited.
OTP-18897 Application(s): ssh
*** POTENTIAL INCOMPATIBILITY ***
With this change (being response to CVE-2023-48795),
ssh can negotiate "strict KEX" OpenSSH extension with
peers supporting it; also
'[email protected]' algorithm becomes a
less preferred cipher.
If strict KEX availability cannot be ensured on both
connection sides, affected encryption modes(CHACHA and
CBC) can be disabled with standard ssh configuration.
This will provide protection against vulnerability, but
at a cost of affecting interoperability. See
Configuring algorithms in SSH.
Full runtime dependencies of ssh-4.15.3.1: crypto-5.0, erts-11.0,
kernel-6.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-3.15
---------------------------------------------------------------------
--- ssl-10.9.1.3 ----------------------------------------------------
---------------------------------------------------------------------
Note! The ssl-10.9.1.3 application *cannot* be applied independently
of other applications on an arbitrary OTP 25 installation.
On a full OTP 25 installation, also the following runtime
dependency has to be satisfied:
-- stdlib-4.1 (first satisfied in OTP 25.1)
--- Fixed Bugs and Malfunctions ---
OTP-18739 Application(s): public_key, ssl
ssl application will validate id-kp-serverAuth and
id-kp-clientAuth extended key usage only in end entity
certificates. public_key application will disallow
"anyExtendedKeyUsage" for CA certificates that includes
the extended key usage extension and marks it critical.
OTP-18886 Application(s): ssl
Add missing export for connection_info() API type.
Full runtime dependencies of ssl-10.9.1.3: crypto-5.0, erts-10.0,
inets-5.10.7, kernel-8.4, public_key-1.11.3, runtime_tools-1.15.1,
stdlib-4.1
---------------------------------------------------------------------
--- wx-2.2.2.1 ------------------------------------------------------
---------------------------------------------------------------------
The wx-2.2.2.1 application can be applied independently of other
applications on a full OTP 25 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18768 Application(s): wx
Related Id(s): PR-7670
The wx application would fail to build on macOS with
Xcode 15.
Full runtime dependencies of wx-2.2.2.1: erts-12.0, kernel-8.0,
stdlib-3.15
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
|