release-notes/OTP-27.3.4.1.README.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219

Patch Package:           OTP 27.3.4.1
Git Tag:                 OTP-27.3.4.1
Date:                    2025-06-16
Trouble Report Id:       OTP-19634, OTP-19635, OTP-19637, OTP-19638,
                         OTP-19640, OTP-19646, OTP-19647, OTP-19649,
                         OTP-19653, OTP-19658, OTP-19659, OTP-19662,
                         OTP-19667, OTP-19676
Seq num:                 CVE-2025-4748, ERIERL-1225, ERIERL-1235,
                         GH-6463, GH-9102, GH-9722, GH-9771, GH-9816,
                         GH-9841, GH-9875, PR-9103, PR-9691, PR-9838,
                         PR-9846, PR-9849, PR-9859, PR-9876, PR-9896,
                         PR-9897, PR-9898, PR-9905, PR-9912, PR-9941
System:                  OTP
Release:                 27
Application:             asn1-5.3.4.1, eldap-1.2.14.1,
                         kernel-10.2.7.1, ssh-5.2.11.1, ssl-11.2.12.1,
                         stdlib-6.2.2.1, xmerl-2.1.3.1
Predecessor:             OTP 27.3.4

Check out the git tag OTP-27.3.4.1, and build a full OTP system including
documentation. Apply one or more applications from this build as patches to your
installation using the 'otp_patch_apply' tool. For information on install
requirements, see descriptions for each application version below.

# OTP-27.3.4.1

## Fixed Bugs and Malfunctions

- Disable warnings as error for `ex_doc` when any Erlang/OTP application has
  been disabled by configure.

  Own Id: OTP-19646
  Related Id(s): GH-9875, PR-9876

# asn1-5.3.4.1

The asn1-5.3.4.1 application can be applied independently of other applications
on a full OTP 27 installation.

## Fixed Bugs and Malfunctions

- The ASN.1 compiler could generate code that would cause Dialyzer with the
  `unmatched_returns` option to emit warnings.

  Own Id: OTP-19638
  Related Id(s): GH-9841, PR-9846

> #### Full runtime dependencies of asn1-5.3.4.1
>
> erts-14.0, kernel-9.0, stdlib-5.0

# eldap-1.2.14.1

The eldap-1.2.14.1 application can be applied independently of other
applications on a full OTP 27 installation.

## Fixed Bugs and Malfunctions

- With this change eldap's 'not' function will have specs fixed.

  Own Id: OTP-19658
  Related Id(s): PR-9859

> #### Full runtime dependencies of eldap-1.2.14.1
>
> asn1-3.0, erts-6.0, kernel-3.0, ssl-5.3.4, stdlib-3.4

# kernel-10.2.7.1

Note! The kernel-10.2.7.1 application _cannot_ be applied independently of other
applications on an arbitrary OTP 27 installation.

       On a full OTP 27 installation, also the following runtime
       dependency has to be satisfied:
       -- erts-15.2.5 (first satisfied in OTP 27.3.2)

## Fixed Bugs and Malfunctions

- A remote shell can now exit by closing the input stream, without terminating
  the remote node.

  Own Id: OTP-19667
  Related Id(s): PR-9912

## Improvements and New Features

- Document default buffer sizes

  Own Id: OTP-19640
  Related Id(s): GH-9722

> #### Full runtime dependencies of kernel-10.2.7.1
>
> crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0

# ssh-5.2.11.1

The ssh-5.2.11.1 application can be applied independently of other applications
on a full OTP 27 installation.

## Fixed Bugs and Malfunctions

- Various channel closing robustness improvements. Avoid crashes when channel
  handling process closes channel and immediately exits. Avoid breaking the
  protocol by sending duplicated channel-close messages. Cleanup channels which
  timeout during closing procedure.

  Own Id: OTP-19634
  Related Id(s): GH-9102, PR-9103

- Improved interoperability with clients acting as Paramiko.

  Own Id: OTP-19637
  Related Id(s): GH-6463, PR-9838

> #### Full runtime dependencies of ssh-5.2.11.1
>
> crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1,
> stdlib-5.0, stdlib-6.0

# ssl-11.2.12.1

Note! The ssl-11.2.12.1 application _cannot_ be applied independently of other
applications on an arbitrary OTP 27 installation.

       On a full OTP 27 installation, also the following runtime
       dependency has to be satisfied:
       -- public_key-1.16.4 (first satisfied in OTP 27.1.3)

## Fixed Bugs and Malfunctions

- hs_keylog callback properly handle alert in initial states, where encryption
  is not yet used. Also add keylog callback invocation for corner-case where
  server alert is encrypted with application secrets as client is already in
  connection state.

  Own Id: OTP-19635
  Related Id(s): ERIERL-1235, PR-9849

## Improvements and New Features

- The documentation for SSL option `verify_fun` has been improved.

  Own Id: OTP-19676
  Related Id(s): PR-9691

> #### Full runtime dependencies of ssl-11.2.12.1
>
> crypto-5.0, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.16.4,
> runtime_tools-1.15.1, stdlib-6.0

# stdlib-6.2.2.1

The stdlib-6.2.2.1 application can be applied independently of other
applications on a full OTP 27 installation.

## Fixed Bugs and Malfunctions

- The `save_module/1` command in the shell now saves both the locally defined
  records and the imported records using the `rr/1` command.

  Own Id: OTP-19647
  Related Id(s): GH-9816, PR-9897

- It's now possible to write `lists:map(fun is_atom/1, [])` or
  `lists:map(fun my_func/1, [])`, in the shell, instead of
  `lists:map(fun erlang:is_atom/1, [])` or
  `lists:map(fun shell_default:my_func/1, [])`.

  Own Id: OTP-19649
  Related Id(s): GH-9771, PR-9898

- Properly strip the leading `/` and drive letter from filepaths when zipping
  and unzipping archives.

  Thanks to Wander Nauta for finding and responsibly disclosing this
  vulnerability to the Erlang/OTP project.

  Own Id: OTP-19653
  Related Id(s): PR-9941, CVE-2025-4748

- Shell no longer crashes when requesting to autocomplete map keys containing
  non-atoms.

  Own Id: OTP-19659
  Related Id(s): PR-9896

- A remote shell can now exit by closing the input stream, without terminating
  the remote node.

  Own Id: OTP-19667
  Related Id(s): PR-9912

> #### Full runtime dependencies of stdlib-6.2.2.1
>
> compiler-5.0, crypto-4.5, erts-15.0, kernel-10.0, sasl-3.0

# xmerl-2.1.3.1

The xmerl-2.1.3.1 application can be applied independently of other applications
on a full OTP 27 installation.

## Fixed Bugs and Malfunctions

- The type specs of xmerl_scan:file/2 and xmerl_scan:string/2 has been
  updated to return `dynamic/0`. Due to hook functions they can return any user
  defined term.

  Own Id: OTP-19662
  Related Id(s): ERIERL-1225, PR-9905

> #### Full runtime dependencies of xmerl-2.1.3.1
>
> erts-6.0, kernel-8.4, stdlib-2.5

# Thanks to

Dan Janowski, Ilya Averyanov, Yaroslav Maslennikov