Erlang - OTP-26.0.1
Security
Patch Package: OTP 26.0.1
Git Tag: OTP-26.0.1
Date: 2023-06-08
Trouble Report Id: OTP-18576, OTP-18578, OTP-18581, OTP-18583,
OTP-18584, OTP-18585, OTP-18587, OTP-18588,
OTP-18593, OTP-18595, OTP-18596, OTP-18597,
OTP-18600, OTP-18601, OTP-18602, OTP-18603,
OTP-18604, OTP-18617, OTP-18619, OTP-18621,
OTP-18632
Seq num: ERIERL-944, GH-7213, GH-7247, GH-7248,
GH-7251, GH-7252, GH-7259, GH-7264, GH-7282,
GH-7288, GH-7297, GH-7301, GH-7303, GH-7338,
GH-7339
System: OTP
Release: 26
Application: compiler-8.3.1, erts-14.0.1, inets-9.0.1,
kernel-9.0.1, ssl-11.0.1, stdlib-5.0.1,
xmerl-1.3.32
Predecessor: OTP 26.0
Check out the git tag OTP-26.0.1, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- compiler-8.3.1 --------------------------------------------------
---------------------------------------------------------------------
The compiler-8.3.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18576 Application(s): compiler
Fixed a bug where a failing bsl expression in a guard
threw an exception instead of causing the guard to
fail.
OTP-18581 Application(s): compiler
Related Id(s): GH-7251
Fixed a bug that would case the validator to reject
legal code.
OTP-18583 Application(s): compiler
Related Id(s): GH-7259
The compiler could re-order clauses matching binaries
so that the incorrect clause would match. That could
only happen for code that used the option
{error_location,line} or for code without line or
column number information (e.g. generated by a parse
transform).
OTP-18593 Application(s): compiler
Related Id(s): GH-7252
Complex guard expression using the or operator and
guard BIFs that can fail could sometimes be miscompiled
so that the guard would succeed even if a call to a
guard BIF failed.
OTP-18600 Application(s): compiler
Related Id(s): GH-7248
With optimizations disabled, a try/catch construct
could return an incorrect value.
OTP-18601 Application(s): compiler
In rare circumstance, a combination of binary
construction and binary_part/3 would cause the compiler
to generate unsafe code that would crash the runtime
system.
OTP-18617 Application(s): compiler
Related Id(s): GH-7338
The compiler could be very slow when compiling guards
with multiple guard tests separated with 'or' or ';'.
OTP-18619 Application(s): compiler
Related Id(s): GH-7339
Complex guard expressions using 'or' and map updates
could succeed even if the map update failed.
Full runtime dependencies of compiler-8.3.1: crypto-5.1, erts-13.0,
kernel-8.4, stdlib-5.0
---------------------------------------------------------------------
--- erts-14.0.1 -----------------------------------------------------
---------------------------------------------------------------------
The erts-14.0.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18585 Application(s): erts
Related Id(s): OTP-18029
Build of the socket nif failed on Solaris 11.
OTP-18587 Application(s): erts
Fixed two reduction-counting bugs relating to binaries.
OTP-18597 Application(s): erts
Constructing a binary segment not aligned with a byte
boundary, with a size not fitting in 31 bits, and with
a value not fitting in a 64-bit word could crash the
runtime system.
OTP-18602 Application(s): erts
Related Id(s): GH-7282
When a binary construction failed because of bad size
for a segment, the error information was not always
correct.
OTP-18621 Application(s): erts
Related Id(s): GH-7288
Fixed a crash when calling a fun that was defined in a
module that had been upgraded.
Full runtime dependencies of erts-14.0.1: kernel-9.0, sasl-3.3,
stdlib-4.1
---------------------------------------------------------------------
--- inets-9.0.1 -----------------------------------------------------
---------------------------------------------------------------------
The inets-9.0.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18604 Application(s): inets
Related Id(s): GH-7303, PR-7306
Do not make the default ssl options by calling
httpc:ssl_verify_host_options(true) if ssl options are
supplied by the user.
Full runtime dependencies of inets-9.0.1: erts-14.0, kernel-9.0,
mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0,
stdlib-5.0, stdlib-5.0
---------------------------------------------------------------------
--- kernel-9.0.1 ----------------------------------------------------
---------------------------------------------------------------------
The kernel-9.0.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18578 Application(s): kernel, stdlib
Related Id(s): GH-7213
The POSIX error exdev was sometimes incorrectly
described as "cross domain link" in some error
messages.
OTP-18584 Application(s): kernel
Related Id(s): #7238
Corrected the socket send function description (send
with Timeout = nowait). The send function(s) could not
return {ok, {RestData, SelectInfo}}
Full runtime dependencies of kernel-9.0.1: crypto-5.0, erts-14.0,
sasl-3.0, stdlib-5.0
---------------------------------------------------------------------
--- ssl-11.0.1 ------------------------------------------------------
---------------------------------------------------------------------
The ssl-11.0.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18588 Application(s): ssl
Related Id(s): GH-7264, PR-7277
Make sure that selection of client certificates handle
both TLS-1.3 and TLS-1.2 names correctly. Could cause
valid client certificate to not be selected, and an
empty client certificate message to be sent to server.
OTP-18596 Application(s): ssl
Related Id(s): GH-7247
Improved ssl:format_error/1 to handle more error
tuples.
OTP-18603 Application(s): ssl
Related Id(s): GH-7297
Fixed hanging ssl:connect when ssl application is not
started.
OTP-18632 Application(s): ssl
Related Id(s): GH-7301, PR-7300
Correct handling of retransmission timers, current
behavior could cause unwanted delays.
Full runtime dependencies of ssl-11.0.1: crypto-5.0, erts-14.0,
inets-5.10.7, kernel-9.0, public_key-1.11.3, runtime_tools-1.15.1,
stdlib-4.1
---------------------------------------------------------------------
--- stdlib-5.0.1 ----------------------------------------------------
---------------------------------------------------------------------
The stdlib-5.0.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18578 Application(s): kernel, stdlib
Related Id(s): GH-7213
The POSIX error exdev was sometimes incorrectly
described as "cross domain link" in some error
messages.
Full runtime dependencies of stdlib-5.0.1: compiler-5.0, crypto-4.5,
erts-13.1, kernel-9.0, sasl-3.0
---------------------------------------------------------------------
--- xmerl-1.3.32 ----------------------------------------------------
---------------------------------------------------------------------
The xmerl-1.3.32 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18595 Application(s): xmerl
Related Id(s): ERIERL-944
New options to xmerl_scan and xmerl_sax_parser so one
can limit the behaviour of the parsers to avoid some
XML security issues.
xmerl_scan gets one new option:
-- {allow_entities, Boolean} -- Gives the possibility
to disallow entities by setting this option to false
(true is default)
xmerl_sax_parser gets the following options:
-- disallow_entities -- Don't allow entities in
document
-- {entity_recurse_limit, N} -- Set a limit on entity
recursion depth (default is 3)
-- {external_entities, AllowedType} -- Specify which
types of external entities that are allowed, this also
affect external DTD's. The types are all(default), file
and none
-- {fail_undeclared_ref, Boolean} -- Sets the behavior
for undeclared references due to an external file is
not parsed (true is default)
The old option skip_external_dtd is still valid and the
same as {external_entities, none} and
{fail_undeclared_ref, false} but just affects DTD's and
not other external references.
Full runtime dependencies of xmerl-1.3.32: erts-6.0, kernel-3.0,
stdlib-2.5
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
Security
Security wording was detected, but no CVEs were found.
Details
date
June 8, 2023, 2:56 p.m.
name
OTP 26.0.1
type
Patch
official page
👇
Register or login to:
- 🔍View and search all Erlang releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!