Erlang/OTP 25.3.2.8

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl or asdf).

docker run -it erlang:25.3.2.8

Potential Incompatibilities #

OTP-18897
Application(s):
ssh

With this change (being response to CVE-2023-48795), ssh can negotiate "strict KEX" OpenSSH extension with peers supporting it; also 'chacha20-poly1305@openssh.com' algorithm becomes a less preferred cipher.

If strict KEX availability cannot be ensured on both connection sides, affected encryption modes(CHACHA and CBC) can be disabled with standard ssh configuration. This will provide protection against vulnerability, but at a cost of affecting interoperability. See Configuring algorithms in SSH.

OTP-25.3.2.8 #

OTP-18896
Application(s):
otp

Updated copyright and license information.

asn1-5.0.21.1 #

The asn1-5.0.21.1 application can be applied independently of other applications on a full OTP 25 installation.

OTP-18844
Application(s):
asn1

Fix benign warning from gcc 11 about mismatching call to free().

Full runtime dependencies of asn1-5.0.21.1: erts-11.0, kernel-7.0, stdlib-3.13

erl_interface-5.3.2.1 #

The erl_interface-5.3.2.1 application can be applied independently of other applications on a full OTP 25 installation.

OTP-18877
Application(s):
erl_interface, erts

Replaced old md5 implementation with an implementation from OpenSSL.

erts-13.2.2.5 #

Note! The erts-13.2.2.5 application *cannot* be applied independently of other applications on an arbitrary OTP 25 installation. On a full OTP 25 installation, also the following runtime dependencies have to be satisfied: -- kernel-8.5 (first satisfied in OTP 25.1) -- stdlib-4.1 (first satisfied in OTP 25.1)

OTP-18802
Application(s):
erts

Fix faulty debug assert when page size is larger than 16kb, like on PowerPC. Did crash debug VM directly at start.

OTP-18838
Application(s):
erts
Related Id(s):
GH-7801 , PR-7822

A process with message_queue_data configured as off_heap could end up in an inconsistent state when being receive traced, inspected using process_info/2 with the message_queue_len item, or inspected using the break menu (CTRL-C). When it ended up in this inconsistent state, it was not enqueued into a run queue even though it was set in a runnable state.This also effected signals being sent to the process after it had gotten into this inconsistent state, in such a way that it was from this point not possible to communicate with it.

OTP-18839
Application(s):
erts
Related Id(s):
GH-7801 , PR-7822

A race occurring when a process was selected for dirty execution simultaneously as it was scheduled for handling a signal could cause the process to end up in an inconsistent state. When it ended up in this inconsistent state, it was not enqueued into a run queue even though it was set in a runnable state. This also effected signals being sent to the process after it had gotten into this inconsistent state, in such a way that it was from this point not possible to communicate with it.

OTP-18841
Application(s):
erts
Related Id(s):
GH-7801 , OTP-18737 , PR-7822

When a process had to to wait in the run queue for a long time before being selected for dirty execution, it could not receive signals. This caused inspection of such a process, for example using process_info/2, to take a long time.

This issue was introduced in OTP 25.3.2.6 and 26.1 when fixing an issue where a constant flow of signals prevented a process from being able to execute dirty.

OTP-18842
Application(s):
erts

Fixed a bug in the JIT that miscompiled large select_val instructions.

OTP-18885
Application(s):
erts
Related Id(s):
GH-7834 , GH-7890 , PR-7915

On OTP 24 and OTP 25, incoming distributed messages larger than 64 KiB sent using an alias leaked memory if the alias had been removed prior to entering the node. This issue was not present on OTP 26.

Incoming distributed messages larger than 64 KiB sent using an alias which had been removed on the receiving node could crash the node. This crash was quite unlikely on OTP 24 and OTP 25, but very likely on OTP 26.

'DOWN' signals with exit reason larger than 64 KiB directed towards a process on a node with a not matching creation leaked memory on the receiving node. Such signals should however be very rare.

OTP-18902
Application(s):
erts

Removed unnecessary PCRE source tar-ball.

OTP-18830
Application(s):
erts
Related Id(s):
PR-7823

Removed unnecessary regexp library used when generating yielding BIFs.

OTP-18877
Application(s):
erl_interface, erts

Replaced old md5 implementation with an implementation from OpenSSL.

OTP-18899
Application(s):
erts

Removed unused makewhatis script.

Full runtime dependencies of erts-13.2.2.5: kernel-8.5, sasl-3.3, stdlib-4.1

mnesia-4.21.4.2 #

The mnesia-4.21.4.2 application can be applied independently of other applications on a full OTP 25 installation.

OTP-18850
Application(s):
mnesia

mnesia:add_table_copy/3 no longer fails with reason system_limit when the node is starting.

Full runtime dependencies of mnesia-4.21.4.2: erts-9.0, kernel-5.3, stdlib-3.4

public_key-1.13.3.2 #

The public_key-1.13.3.2 application can be applied independently of other applications on a full OTP 25 installation.

OTP-18739
Application(s):
public_key, ssl

ssl application will validate id-kp-serverAuth and id-kp-clientAuth extended key usage only in end entity certificates. public_key application will disallow "anyExtendedKeyUsage" for CA certificates that includes the extended key usage extension and marks it critical.

Full runtime dependencies of public_key-1.13.3.2: asn1-3.0, crypto-4.6, erts-6.0, kernel-3.0, stdlib-3.5

ssh-4.15.3.1 #

The ssh-4.15.3.1 application can be applied independently of other applications on a full OTP 25 installation.

OTP-18869
Application(s):
ssh
Related Id(s):
GH-7571 , PR-7849

With this change, connection handler does not execute socket operations until it becomes socket owner. Previously errors could occur if connection handler tried to work with socket whose owner exited.

OTP-18897
Application(s):
ssh

*** POTENTIAL INCOMPATIBILITY ***

With this change (being response to CVE-2023-48795), ssh can negotiate "strict KEX" OpenSSH extension with peers supporting it; also 'chacha20-poly1305@openssh.com' algorithm becomes a less preferred cipher.

If strict KEX availability cannot be ensured on both connection sides, affected encryption modes(CHACHA and CBC) can be disabled with standard ssh configuration. This will provide protection against vulnerability, but at a cost of affecting interoperability. See Configuring algorithms in SSH.

Full runtime dependencies of ssh-4.15.3.1: crypto-5.0, erts-11.0, kernel-6.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-3.15

ssl-10.9.1.3 #

Note! The ssl-10.9.1.3 application *cannot* be applied independently of other applications on an arbitrary OTP 25 installation. On a full OTP 25 installation, also the following runtime dependency has to be satisfied: -- stdlib-4.1 (first satisfied in OTP 25.1)

OTP-18739
Application(s):
public_key, ssl

ssl application will validate id-kp-serverAuth and id-kp-clientAuth extended key usage only in end entity certificates. public_key application will disallow "anyExtendedKeyUsage" for CA certificates that includes the extended key usage extension and marks it critical.

OTP-18886
Application(s):
ssl

Add missing export for connection_info() API type.

Full runtime dependencies of ssl-10.9.1.3: crypto-5.0, erts-10.0, inets-5.10.7, kernel-8.4, public_key-1.11.3, runtime_tools-1.15.1, stdlib-4.1

wx-2.2.2.1 #

The wx-2.2.2.1 application can be applied independently of other applications on a full OTP 25 installation.

OTP-18768
Application(s):
wx
Related Id(s):
PR-7670

The wx application would fail to build on macOS with Xcode 15.

Full runtime dependencies of wx-2.2.2.1: erts-12.0, kernel-8.0, stdlib-3.15