1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
|
Patch Package: OTP 28.0.1
Git Tag: OTP-28.0.1
Date: 2025-06-16
Trouble Report Id: OTP-19634, OTP-19635, OTP-19637, OTP-19638,
OTP-19641, OTP-19644, OTP-19645, OTP-19650,
OTP-19653, OTP-19658, OTP-19662, OTP-19665,
OTP-19675, OTP-19676
Seq num: CVE-2025-4748, ERIERL-1225, ERIERL-1235,
GH-6463, GH-9102, GH-9841, GH-9858, GH-9863,
GH-9872, PR-9103, PR-9691, PR-9838, PR-9846,
PR-9849, PR-9859, PR-9861, PR-9870, PR-9878,
PR-9880, PR-9892, PR-9905, PR-9926, PR-9941
System: OTP
Release: 28
Application: asn1-5.4.1, debugger-6.0.1, eldap-1.2.16,
erts-16.0.1, kernel-10.3.1,
public_key-1.18.1, ssh-5.3.1, ssl-11.3.1,
stdlib-7.0.1, xmerl-2.1.5
Predecessor: OTP 28.0
Check out the git tag OTP-28.0.1, and build a full OTP system including
documentation. Apply one or more applications from this build as patches to your
installation using the 'otp_patch_apply' tool. For information on install
requirements, see descriptions for each application version below.
# asn1-5.4.1
The asn1-5.4.1 application can be applied independently of other applications on
a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- The ASN.1 compiler could generate code that would cause Dialyzer with the
`unmatched_returns` option to emit warnings.
Own Id: OTP-19638
Related Id(s): GH-9841, PR-9846
> #### Full runtime dependencies of asn1-5.4.1
>
> erts-14.0, kernel-9.0, stdlib-5.0
# debugger-6.0.1
The debugger-6.0.1 application can be applied independently of other
applications on a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- Restore deleted icon so that debugger does not crash on startup.
Own Id: OTP-19641
Related Id(s): GH-9858, PR-9861
> #### Full runtime dependencies of debugger-6.0.1
>
> compiler-8.0, erts-15.0, kernel-10.0, stdlib-7.0, wx-2.0
# eldap-1.2.16
The eldap-1.2.16 application can be applied independently of other applications
on a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- With this change eldap's 'not' function will have specs fixed.
Own Id: OTP-19658
Related Id(s): PR-9859
> #### Full runtime dependencies of eldap-1.2.16
>
> asn1-3.0, erts-6.0, kernel-3.0, ssl-5.3.4, stdlib-3.4
# erts-16.0.1
The erts-16.0.1 application can be applied independently of other applications
on a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- Fix Erlang to not crash when io:standard_error/0 is a terminal but
io:standard_io/0 is not. This bug has existed since Erlang/OTP 28.0 and only
effects Windows.
Own Id: OTP-19650
Related Id(s): GH-9872, PR-9878
- In a debug build, the BIFs for the native debugger could cause a lock order
violation diagnostic from the lock checker.
Own Id: OTP-19665
Related Id(s): PR-9926
- When building ERTS make sure correct `pcre2.h` file is included even if CFLAGS
contains extra include paths.
Own Id: OTP-19675
Related Id(s): PR-9892
> #### Full runtime dependencies of erts-16.0.1
>
> kernel-9.0, sasl-3.3, stdlib-4.1
# kernel-10.3.1
The kernel-10.3.1 application can be applied independently of other applications
on a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- Fix bug where calling io:setopts/1 in a shell without the `line_history`
option would always disable `line_history`. This bug was introduced in
Erlang/OTP 28.0.
Own Id: OTP-19645
Related Id(s): GH-9863, PR-9870
> #### Full runtime dependencies of kernel-10.3.1
>
> crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0
# public_key-1.18.1
The public_key-1.18.1 application can be applied independently of other
applications on a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- Add back some ASN-1 macros and definitions that should be included in API.
Own Id: OTP-19644
Related Id(s): PR-9880
> #### Full runtime dependencies of public_key-1.18.1
>
> asn1-5.0, crypto-5.0, erts-13.0, kernel-8.0, stdlib-4.0
# ssh-5.3.1
The ssh-5.3.1 application can be applied independently of other applications on
a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- Various channel closing robustness improvements. Avoid crashes when channel
handling process closes channel and immediately exits. Avoid breaking the
protocol by sending duplicated channel-close messages. Cleanup channels which
timeout during closing procedure.
Own Id: OTP-19634
Related Id(s): GH-9102, PR-9103
- Improved interoperability with clients acting as Paramiko.
Own Id: OTP-19637
Related Id(s): GH-6463, PR-9838
> #### Full runtime dependencies of ssh-5.3.1
>
> crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1,
> stdlib-5.0, stdlib-6.0
# ssl-11.3.1
The ssl-11.3.1 application can be applied independently of other applications on
a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- hs_keylog callback properly handle alert in initial states, where encryption
is not yet used. Also add keylog callback invocation for corner-case where
server alert is encrypted with application secrets as client is already in
connection state.
Own Id: OTP-19635
Related Id(s): ERIERL-1235, PR-9849
## Improvements and New Features
- The documentation for SSL option `verify_fun` has been improved.
Own Id: OTP-19676
Related Id(s): PR-9691
> #### Full runtime dependencies of ssl-11.3.1
>
> crypto-5.6, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.16.4,
> runtime_tools-1.15.1, stdlib-7.0
# stdlib-7.0.1
The stdlib-7.0.1 application can be applied independently of other applications
on a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- Properly strip the leading `/` and drive letter from filepaths when zipping
and unzipping archives.
Thanks to Wander Nauta for finding and responsibly disclosing this
vulnerability to the Erlang/OTP project.
Own Id: OTP-19653
Related Id(s): PR-9941, CVE-2025-4748
> #### Full runtime dependencies of stdlib-7.0.1
>
> compiler-5.0, crypto-4.5, erts-16.0, kernel-10.0, sasl-3.0, syntax_tools-3.2.1
# xmerl-2.1.5
The xmerl-2.1.5 application can be applied independently of other applications
on a full OTP 28 installation.
## Fixed Bugs and Malfunctions
- The type specs of xmerl_scan:file/2 and xmerl_scan:string/2 has been
updated to return `dynamic/0`. Due to hook functions they can return any user
defined term.
Own Id: OTP-19662
Related Id(s): ERIERL-1225, PR-9905
> #### Full runtime dependencies of xmerl-2.1.5
>
> erts-6.0, kernel-8.4, stdlib-2.5
# Thanks to
Dan Janowski, Ilya Averyanov, Mikael Pettersson, Yaroslav Maslennikov
|
