1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
|
Patch Package: OTP 27.3.4.3
Git Tag: OTP-27.3.4.3
Date: 2025-09-10
Trouble Report Id: OTP-19701, OTP-19719, OTP-19722, OTP-19728,
OTP-19729, OTP-19740, OTP-19741, OTP-19742,
OTP-19748, OTP-19760
Seq num: CVE-2025-48038, CVE-2025-48039,
CVE-2025-48040, CVE-2025-48041, GH-10057,
GH-10065, GH-10072, GH-10077, GH-10103,
GH-3392, PR-10066, PR-10090, PR-10093,
PR-10118, PR-10120, PR-10155, PR-10156,
PR-10157, PR-10162, PR-6223
System: OTP
Release: 27
Application: compiler-8.6.1.2, debugger-5.5.0.1,
erts-15.2.7.2, inets-9.3.2.1, ssh-5.2.11.3,
syntax_tools-3.2.2.1
Predecessor: OTP 27.3.4.2
Check out the git tag OTP-27.3.4.3, and build a full OTP system including
documentation. Apply one or more applications from this build as patches to your
installation using the 'otp_patch_apply' tool. For information on install
requirements, see descriptions for each application version below.
# POTENTIAL INCOMPATIBILITIES
- Option max_handles can be configured for sshd running SFTP. The positive
integer value limits amount of file handles opened for a connection (by
default 4096 is used).
Own Id: OTP-19701
Application(s): ssh
Related Id(s): PR-10157, CVE-2025-48041
- Avoid decoding KEX messages providing too many algorithms. This change does
not introduce new limitation but assures it is enforced earlier in processing
chain. Adjustments in error logging during handshake.
Own Id: OTP-19741
Application(s): ssh
Related Id(s): PR-10162, CVE-2025-48040
- A new 'max_path' option is now available in the sshd configuration, allowing
administrators to set the maximum allowable path length. By default, this
value is set to 4096 characters.
Own Id: OTP-19742
Application(s): ssh
Related Id(s): PR-10155, CVE-2025-48039
- Reject file handles exceeding size specified in RFCs (256 bytes).
Own Id: OTP-19748
Application(s): ssh
Related Id(s): PR-10156, CVE-2025-48038
# compiler-8.6.1.2
The compiler-8.6.1.2 application can be applied independently of other
applications on a full OTP 27 installation.
## Fixed Bugs and Malfunctions
- In rare circumstances, the compiler could crash when compiling code using bit
syntax construction.
Own Id: OTP-19722
Related Id(s): GH-10077, PR-10090
> #### Full runtime dependencies of compiler-8.6.1.2
>
> crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0
# debugger-5.5.0.1
The debugger-5.5.0.1 application can be applied independently of other
applications on a full OTP 27 installation.
## Fixed Bugs and Malfunctions
- Fix unbound error in interpreted modules
Own Id: OTP-19719
Related Id(s): GH-10057, PR-10066
> #### Full runtime dependencies of debugger-5.5.0.1
>
> compiler-8.0, erts-15.0, kernel-10.0, stdlib-3.15, wx-2.0
# erts-15.2.7.2
The erts-15.2.7.2 application can be applied independently of other applications
on a full OTP 27 installation.
## Fixed Bugs and Malfunctions
- As an optimization, when the unicode:characters_to_binary/3 was used to
convert from `latin1` to `utf8` or vice versa, it would return the original
binary unchanged if it only contained 7-bit ASCII characters. That
otpimization was broken in Erlang/OTP 27, and has now been mended.
Own Id: OTP-19728
Related Id(s): GH-10072, PR-10093
> #### Full runtime dependencies of erts-15.2.7.2
>
> kernel-9.0, sasl-3.3, stdlib-4.1
# inets-9.3.2.1
The inets-9.3.2.1 application can be applied independently of other applications
on a full OTP 27 installation.
## Fixed Bugs and Malfunctions
- Fixed a bug where a request sent to httpd server which is using CGI script to
generate a response, would pollute server's environment variable -
`HTTP_PROXY` for that request. This bug is also known as httpoxy. More
information: CVE-2016-1000107
Own Id: OTP-19729
Related Id(s): GH-3392, PR-6223
- Fixed a RFC 2616 violation, where a http request, made by httpc, without
providing any options, would be sent with an empty TE header, without also
having a TE value in the connection header. Now the default request doesn't
send a TE header at all.
Own Id: OTP-19760
Related Id(s): GH-10065, PR-10120
> #### Full runtime dependencies of inets-9.3.2.1
>
> erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14,
> ssl-9.0, stdlib-5.0, stdlib-6.0
# ssh-5.2.11.3
The ssh-5.2.11.3 application can be applied independently of other applications
on a full OTP 27 installation.
## Fixed Bugs and Malfunctions
- Option max_handles can be configured for sshd running SFTP. The positive
integer value limits amount of file handles opened for a connection (by
default 4096 is used).
Own Id: OTP-19701
Related Id(s): PR-10157, CVE-2025-48041
*** POTENTIAL INCOMPATIBILITY ***
- Avoid decoding KEX messages providing too many algorithms. This change does
not introduce new limitation but assures it is enforced earlier in processing
chain. Adjustments in error logging during handshake.
Own Id: OTP-19741
Related Id(s): PR-10162, CVE-2025-48040
*** POTENTIAL INCOMPATIBILITY ***
- A new 'max_path' option is now available in the sshd configuration, allowing
administrators to set the maximum allowable path length. By default, this
value is set to 4096 characters.
Own Id: OTP-19742
Related Id(s): PR-10155, CVE-2025-48039
*** POTENTIAL INCOMPATIBILITY ***
- Reject file handles exceeding size specified in RFCs (256 bytes).
Own Id: OTP-19748
Related Id(s): PR-10156, CVE-2025-48038
*** POTENTIAL INCOMPATIBILITY ***
> #### Full runtime dependencies of ssh-5.2.11.3
>
> crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1,
> stdlib-5.0, stdlib-6.0
# syntax_tools-3.2.2.1
The syntax_tools-3.2.2.1 application can be applied independently of other
applications on a full OTP 27 installation.
## Fixed Bugs and Malfunctions
- Backport fix for annotating maybe to OTP-27
Own Id: OTP-19740
Related Id(s): GH-10103, PR-10118
> #### Full runtime dependencies of syntax_tools-3.2.2.1
>
> compiler-7.0, erts-9.0, kernel-5.0, stdlib-4.0
# Thanks to
Marcel Lanz, Savvas Nicholas
|