Patch Package: OTP 23.1
Git Tag: OTP-23.1
Date: 2020-09-23
Trouble Report Id: OTP-14106, OTP-15130, OTP-15187, OTP-15767,
OTP-15855, OTP-16411, OTP-16448, OTP-16591,
OTP-16592, OTP-16607, OTP-16625, OTP-16650,
OTP-16655, OTP-16658, OTP-16661, OTP-16663,
OTP-16674, OTP-16675, OTP-16694, OTP-16697,
OTP-16700, OTP-16701, OTP-16705, OTP-16707,
OTP-16710, OTP-16713, OTP-16715, OTP-16716,
OTP-16732, OTP-16734, OTP-16735, OTP-16737,
OTP-16738, OTP-16739, OTP-16740, OTP-16741,
OTP-16742, OTP-16743, OTP-16744, OTP-16746,
OTP-16748, OTP-16751, OTP-16753, OTP-16754,
OTP-16755, OTP-16760, OTP-16761, OTP-16763,
OTP-16764, OTP-16765, OTP-16767, OTP-16768,
OTP-16770, OTP-16771, OTP-16774, OTP-16775,
OTP-16776, OTP-16777, OTP-16778, OTP-16779,
OTP-16782, OTP-16783, OTP-16784, OTP-16785,
OTP-16786, OTP-16787, OTP-16790, OTP-16791,
OTP-16798, OTP-16801, OTP-16802, OTP-16803,
OTP-16813, OTP-16815, OTP-16816, OTP-16820,
OTP-16821, OTP-16823, OTP-16830, OTP-16832,
OTP-16833, OTP-16836, OTP-16837, OTP-16838,
OTP-16846, OTP-16848, OTP-16850, OTP-16851,
OTP-16854, OTP-16857, OTP-16866
Seq num: ERIERL-484, ERIERL-496, ERIERL-500,
ERIERL-509, ERIERL-511, ERIERL-512,
ERIERL-516, ERIERL-519, ERIERL-520,
ERIERL-522, ERIERL-523, ERIERL-524, ERL-1215,
ERL-1241, ERL-1247, ERL-1257, ERL-1259,
ERL-1268, ERL-1271, ERL-1280, ERL-1283,
ERL-1284, ERL-1287, ERL-1288, ERL-1293,
ERL-1297, ERL-1305, ERL-1307, ERL-1309,
ERL-1310, ERL-1312, ERL-1316, ERL-1317,
ERL-1319, ERL-1327, ERL-1334, ERL-1340,
ERL-1344, ERL-1355
System: OTP
Release: 23
Application: asn1-5.0.14, compiler-7.6.3, crypto-4.8,
dialyzer-4.2.1, erl_docgen-1.0.1,
erl_interface-4.0.1, erts-11.1, eunit-2.6,
ftp-1.0.5, hipe-4.0.1, inets-7.3, kernel-7.1,
megaco-3.19.3, mnesia-4.18, observer-2.9.5,
odbc-2.13.1, os_mon-2.6, public_key-1.9,
runtime_tools-1.15.1, sasl-4.0.1, snmp-5.6.1,
ssh-4.10.1, ssl-10.1, stdlib-3.13.2,
syntax_tools-2.3.1, tools-3.4.1
Predecessor: OTP 23.0.4
Check out the git tag OTP-23.1, and build a full OTP system including
documentation. Apply one or more applications from this build as
patches to your installation using the 'otp_patch_apply' tool. For
information on install requirements, see descriptions for each
application version below.
---------------------------------------------------------------------
--- HIGHLIGHTS ------------------------------------------------------
---------------------------------------------------------------------
OTP-16790 Application(s): inets
Related Id(s): ERIERL-522
A vulnerability in the httpd module (inets application)
regarding directory traversal that was introduced in
OTP 22.3.1 and corrected in OTP 22.3.4.6. It was also
introduced in OTP 23.0 and corrected in OTP 23.1 The
vulnerability is registered as CVE-2020-25623
The vulnerability is only exposed if the http server
(httpd) in the inets application is used. The
vulnerability makes it possible to read arbitrary files
which the Erlang system has read access to with for
example a specially prepared http request.
---------------------------------------------------------------------
--- OTP-23.1 --------------------------------------------------------
---------------------------------------------------------------------
--- Fixed Bugs and Malfunctions ---
OTP-16833 Application(s): erts, otp
Related Id(s): PR-2729
Adjust /bin/sh to /system/bin/sh in scripts when
installing on Android.
--- Improvements and New Features ---
OTP-16779 Application(s): otp
Related Id(s): ERL-1305, PR-2700
Changes in build system to make it build for macOS 11.0
with Apple Silicon. Also corrected execution of match
specs to work on Apple Silicon.
---------------------------------------------------------------------
--- asn1-5.0.14 -----------------------------------------------------
---------------------------------------------------------------------
The asn1-5.0.14 application can be applied independently of other
applications on a full OTP 23 installation.
--- Improvements and New Features ---
OTP-16707 Application(s): asn1, erl_interface, erts, odbc
Related Id(s): PR-2638
Changes in order to build on the Haiku operating
system.
Thanks to Calvin Buckley
Full runtime dependencies of asn1-5.0.14: erts-7.0, kernel-3.0,
stdlib-2.0
---------------------------------------------------------------------
--- compiler-7.6.3 --------------------------------------------------
---------------------------------------------------------------------
The compiler-7.6.3 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16701 Application(s): compiler
Related Id(s): ERL-1271
If the update of a map with the 'Map#{Key := Value}'
syntax failed, the line number in the stack backtrace
could be incorrect.
OTP-16755 Application(s): compiler
Related Id(s): ERL-1297
Fixed a performance bug that slowed down compilation of
modules with deeply nested terms.
OTP-16820 Application(s): compiler
The compiler could in rare circumstances do an an
unsafe optimization that would result in a matching of
a nested map pattern would fail to match.
OTP-16838 Application(s): compiler
Related Id(s): ERL-1340
Fixed a bug in the validator that caused it to reject
valid code.
Full runtime dependencies of compiler-7.6.3: crypto-3.6, erts-11.0,
hipe-3.12, kernel-7.0, stdlib-3.13
---------------------------------------------------------------------
--- crypto-4.8 ------------------------------------------------------
---------------------------------------------------------------------
The crypto-4.8 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16658 Application(s): crypto
Related Id(s): ERL-1257, OTP-15884
Fix type spec bug in crypto for crypto_init and
crypto:one_time
OTP-16846 Application(s): crypto
Related Id(s): PR-2741
The deprecation message for crypto:rand_uniform/2
indicated a non-existent function. The correct one
(rand:uniform/1) is now suggested.
--- Improvements and New Features ---
OTP-16771 Application(s): crypto
Related Id(s): ERIERL-509
Implemented a workaround to allow fallback from using
the EVP API for Diffie-Hellman key generation
OTP-16774 Application(s): crypto, ssh
The internal Diffie-Hellman high level API for key
generation was slow in old and by OpenSSL now
unsupported cryptolib versions (1.0.1 and earlier).
If such a cryptolib is used anyhow, the low-level API
is used internally in the crypto application.
Full runtime dependencies of crypto-4.8: erts-9.0, kernel-5.3,
stdlib-3.4
---------------------------------------------------------------------
--- dialyzer-4.2.1 --------------------------------------------------
---------------------------------------------------------------------
The dialyzer-4.2.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16813 Application(s): dialyzer
Related Id(s): ERL-1307
In rare circumstance, dialyzer wold crash when
analyzing a list comprehension.
Full runtime dependencies of dialyzer-4.2.1: compiler-7.0, erts-9.0,
hipe-3.16.1, kernel-5.3, stdlib-3.4, syntax_tools-2.0, wx-1.2
---------------------------------------------------------------------
--- erl_docgen-1.0.1 ------------------------------------------------
---------------------------------------------------------------------
The erl_docgen-1.0.1 application can be applied independently of
other applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16661 Application(s): erl_docgen
Related Id(s): ERL-1259
Repaired lost function "since" versions in the right
margin of the module reference HTML documentation.
OTP-16675 Application(s): erl_docgen
Remove erlang compilation warnings and trailing
whitespaces.
Full runtime dependencies of erl_docgen-1.0.1: edoc-0.7.13, erts-9.0,
stdlib-3.4, xmerl-1.3.7
---------------------------------------------------------------------
--- erl_interface-4.0.1 ---------------------------------------------
---------------------------------------------------------------------
The erl_interface-4.0.1 application can be applied independently of
other applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16740 Application(s): erl_interface
Fix erl_interface on windows to be compiled with
correct flags to make internal primitives reentrant.
OTP-16753 Application(s): erl_interface
Related Id(s): ERL-1288, PR-2678
Fixed ei_get_type to set *size to zero for floats,
pids, port and refs according to documentation.
OTP-16786 Application(s): erl_interface
Fix ei_connect when using a dynamic node name to force
usage of distribution version 6.
This bug caused erl_call -R -address to not work
properly.
--- Improvements and New Features ---
OTP-16707 Application(s): asn1, erl_interface, erts, odbc
Related Id(s): PR-2638
Changes in order to build on the Haiku operating
system.
Thanks to Calvin Buckley
--- Known Bugs and Problems ---
OTP-16607 Application(s): erl_interface
Related Id(s): OTP-16608
The ei API for decoding/encoding terms is not fully
64-bit compatible since terms that have a
representation on the external term format larger than
2 GB cannot be handled.
---------------------------------------------------------------------
--- erts-11.1 -------------------------------------------------------
---------------------------------------------------------------------
The erts-11.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16625 Application(s): erts
Related Id(s): PR-2609
Update the documentation of the abstract format to use
ANNO instead of LINE.
OTP-16710 Application(s): erts
Related Id(s): ERL-1280
The emulator will no longer revert to the default
number of schedulers when running under a CPU quota
lower than 1 CPU.
OTP-16713 Application(s): erts
Fixed a problem with crash dumps. When a process that
contained reference to literals internally created by
the runtime system (such as the tuple returned by
os:type/0), the literal would not be included in the
crash dump and the crashdump viewer would complain
about the heap being incomplete.
OTP-16738 Application(s): erts
Fix configure detection of PGO for clang.
OTP-16741 Application(s): erts
The to_erl program has been fixed to correctly
interpret newline as only newline and not
newline+return.
This bug would cause the terminal to behave strangely
when using lines longer than the terminal size.
OTP-16770 Application(s): erts
A race condition when changing process priority by
calling process_flag(priority, Prio) could cause
elevation of priority for a system task to be ignored.
This bug hit if the system task was scheduled on the
process calling process_flag() at the same time as the
priority was changed. The bug is quite harmless and
should hit very seldom if ever.
OTP-16833 Application(s): erts, otp
Related Id(s): PR-2729
Adjust /bin/sh to /system/bin/sh in scripts when
installing on Android.
OTP-16850 Application(s): erts
Related Id(s): ERL-1344
In rare circumstances, when loading a BEAM file
generated by an alternative code generator (not the
Erlang compiler in OTP) or from handwritten or patched
BEAM code, the loader could do an unsafe optimization.
OTP-16857 Application(s): erts
A memory and file descriptor leak in socket has been
fixed. (When a newly opened socket that had not entered
the fd into the VM's poll set (neither received, sent,
accepted nor connected) was abandoned without closing
(process died), after assigning a different controlling
process, then a memory block and the file descriptor
could be leaked.)
OTP-16866 Application(s): erts
Related Id(s): ERL-1355
The documentation of statistics(run_queue) erroneously
stated that it returns the total length of all normal
run queues when it is the total length of all normal
and dirty CPU run queues that is returned. The
documentation has been updated to reflect the actual
behavior.
--- Improvements and New Features ---
OTP-16707 Application(s): asn1, erl_interface, erts, odbc
Related Id(s): PR-2638
Changes in order to build on the Haiku operating
system.
Thanks to Calvin Buckley
OTP-16715 Application(s): erts
When building the inet driver on Windows, there where
many compiler warnings regarding type casting (used
when calling the debug macro). This has now been
resolved.
OTP-16763 Application(s): erts, kernel
Make (use of) the socket registry optional (still
enabled by default). Its now possible to build OTP with
the socket registry turned off, turn it off by setting
an environment variable and controlling in runtime (via
function calls and arguments when creating sockets).
OTP-16821 Application(s): erts
Related Id(s): PR-2733
Change default filename encoding on android to UTF-8.
OTP-16848 Application(s): erts
Related Id(s): PR-2737
Clarification of the format of the atom cache header
used by the distribution.
Full runtime dependencies of erts-11.1: kernel-7.0, sasl-3.3,
stdlib-3.13
---------------------------------------------------------------------
--- eunit-2.6 -------------------------------------------------------
---------------------------------------------------------------------
The eunit-2.6 application can be applied independently of other
applications on a full OTP 23 installation.
--- Improvements and New Features ---
OTP-16674 Application(s): eunit
Fixed compiler warning.
Full runtime dependencies of eunit-2.6: erts-9.0, kernel-5.3,
stdlib-3.4
---------------------------------------------------------------------
--- ftp-1.0.5 -------------------------------------------------------
---------------------------------------------------------------------
The ftp-1.0.5 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16734 Application(s): ftp
Related Id(s): ERIERL-496, OTP-16697
Avoid timing issue when setting active once on a socket
that is being closed by the peer.
Full runtime dependencies of ftp-1.0.5: erts-7.0, kernel-6.0,
stdlib-3.5
---------------------------------------------------------------------
--- hipe-4.0.1 ------------------------------------------------------
---------------------------------------------------------------------
The hipe-4.0.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16737 Application(s): hipe
Fixed a warning issued when building the hipe
application.
Full runtime dependencies of hipe-4.0.1: compiler-5.0, erts-9.3,
kernel-5.3, stdlib-3.4, syntax_tools-1.6.14
---------------------------------------------------------------------
--- inets-7.3 -------------------------------------------------------
---------------------------------------------------------------------
The inets-7.3 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16650 Application(s): inets
Related Id(s): ERL-1215, PR-2629
Clarify the handling of percent encoded characters in
http client.
OTP-16663 Application(s): inets
Related Id(s): ERL-1241
fix crash for undefined port in uri.
OTP-16735 Application(s): inets
Related Id(s): ERIERL-496, OTP-16697
Avoid timing issue when setting active once on a socket
that is being closed by the peer.
OTP-16746 Application(s): inets
Related Id(s): ERL-1268
Handle message body of response with 1XX status code as
next http message.
OTP-16775 Application(s): inets
Related Id(s): ERIERL-519
Fix a crash in http server when setopts is called on a
socket closed by the peer.
OTP-16790 Application(s): inets
Related Id(s): ERIERL-522
*** HIGHLIGHT ***
A vulnerability in the httpd module (inets application)
regarding directory traversal that was introduced in
OTP 22.3.1 and corrected in OTP 22.3.4.6. It was also
introduced in OTP 23.0 and corrected in OTP 23.1 The
vulnerability is registered as CVE-2020-25623
The vulnerability is only exposed if the http server
(httpd) in the inets application is used. The
vulnerability makes it possible to read arbitrary files
which the Erlang system has read access to with for
example a specially prepared http request.
--- Improvements and New Features ---
OTP-16591 Application(s): inets
Related Id(s): ERIERL-484
Add support of PATCH method in mod_esi.
Full runtime dependencies of inets-7.3: erts-6.0, kernel-3.0,
mnesia-4.12, runtime_tools-1.8.14, ssl-5.3.4, stdlib-3.5
---------------------------------------------------------------------
--- kernel-7.1 ------------------------------------------------------
---------------------------------------------------------------------
The kernel-7.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-15187 Application(s): kernel
Related Id(s): ERL-1293
A fallback has been implemented for file:sendfile when
using inet_backend socket
OTP-16694 Application(s): kernel
Related Id(s): PR-2625
Make default TCP distribution honour option backlog in
inet_dist_listen_options.
OTP-16743 Application(s): kernel
Related Id(s): ERL-1287
Raw option handling for the experimental gen_tcp_socket
backend was broken so that all raw options were ignored
by for example gen_tcp:listen/2, a bug that now has
been fixed. Reported by Jan Uhlig.
OTP-16748 Application(s): kernel
Related Id(s): ERL-1284
Accept fails with inet-backend socket.
OTP-16754 Application(s): kernel
Fixed various minor errors in the socket backend of
gen_tcp.
OTP-16768 Application(s): kernel
Related Id(s): ERL-1312
Correct disk_log:truncate/1 to count the header. Also
correct the documentation to state that
disk_log:truncate/1 can be used with external disk
logs.
OTP-16783 Application(s): kernel
Fix erl_epmd:port_please/2,3 type specs to include all
possible error values.
OTP-16785 Application(s): kernel
Fix erl -erl_epmd_port to work properly. Before this
fix it did not work at all.
OTP-16823 Application(s): kernel
Related Id(s): PR-2722
Fix typespec for internal function
erlang:seq_trace_info/1 to allow term() as returned
label. This in turn fixes so that calls to
seq_trace:get_token/1 can be correctly analyzer by
dialyzer.
OTP-16832 Application(s): kernel
Related Id(s): PR-2738
Fix erroneous double registration of processes in pg
when distribution is dynamically started.
--- Improvements and New Features ---
OTP-16763 Application(s): erts, kernel
Make (use of) the socket registry optional (still
enabled by default). Its now possible to build OTP with
the socket registry turned off, turn it off by setting
an environment variable and controlling in runtime (via
function calls and arguments when creating sockets).
OTP-16784 Application(s): kernel
erl -remsh nodename no longer requires the hostname to
be given when used together with dynamic nodenames.
Full runtime dependencies of kernel-7.1: erts-11.0, sasl-3.0,
stdlib-3.13
---------------------------------------------------------------------
--- megaco-3.19.3 ---------------------------------------------------
---------------------------------------------------------------------
The megaco-3.19.3 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16836 Application(s): megaco
The expected number of warnings when (yecc) generating
v2 and v3 (text) parser's was incorrect.
Full runtime dependencies of megaco-3.19.3: asn1-3.0, debugger-4.0,
erts-7.0, et-1.5, kernel-3.0, runtime_tools-1.8.14, stdlib-2.5
---------------------------------------------------------------------
--- mnesia-4.18 -----------------------------------------------------
---------------------------------------------------------------------
The mnesia-4.18 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16782 Application(s): mnesia
Related Id(s): PR-2663
FIx mnesia delete object handling in transaction
storage. In a transaction mnesia:read/1 could indicate
that exiting objects did not exist after another object
was deleted.
--- Improvements and New Features ---
OTP-16815 Application(s): mnesia
Related Id(s): ERIERL-500
Fixed crash during startup, which could happen if a
table was deleted on another node.
Full runtime dependencies of mnesia-4.18: erts-9.0, kernel-5.3,
stdlib-3.4
---------------------------------------------------------------------
--- observer-2.9.5 --------------------------------------------------
---------------------------------------------------------------------
The observer-2.9.5 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16778 Application(s): observer
Fix graph windows flickering on windows.
Full runtime dependencies of observer-2.9.5: erts-11.0, et-1.5,
kernel-7.0, runtime_tools-1.8.14, stdlib-3.13, wx-1.2
---------------------------------------------------------------------
--- odbc-2.13.1 -----------------------------------------------------
---------------------------------------------------------------------
The odbc-2.13.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Improvements and New Features ---
OTP-16707 Application(s): asn1, erl_interface, erts, odbc
Related Id(s): PR-2638
Changes in order to build on the Haiku operating
system.
Thanks to Calvin Buckley
Full runtime dependencies of odbc-2.13.1: erts-6.0, kernel-3.0,
stdlib-2.0
---------------------------------------------------------------------
--- os_mon-2.6 ------------------------------------------------------
---------------------------------------------------------------------
The os_mon-2.6 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16798 Application(s): os_mon
Related Id(s): ERL-1327
memsup now returns the correct amount of system memory
on macOS.
--- Improvements and New Features ---
OTP-16742 Application(s): os_mon
Fix memsup:get_os_wordsize/0 to return the current size
on aarch64.
Full runtime dependencies of os_mon-2.6: erts-6.0, kernel-3.0,
sasl-2.4, stdlib-2.0
---------------------------------------------------------------------
--- public_key-1.9 --------------------------------------------------
---------------------------------------------------------------------
The public_key-1.9 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16801 Application(s): public_key
Related Id(s): ERL-1309
Fixed an insignificant whitespace issue when decoding
PEM file.
--- Improvements and New Features ---
OTP-16448 Application(s): public_key, ssl
Experimental OCSP client support.
OTP-16592 Application(s): public_key
Use user returned path validation error for selfsigned
cert. It allows users of the ssl application to
customize the generated TLS alert, within the range of
defined alerts.
OTP-16705 Application(s): public_key
add API function to retrieve the subject-ID of an X509
certificate
Full runtime dependencies of public_key-1.9: asn1-3.0, crypto-3.8,
erts-6.0, kernel-3.0, stdlib-3.5
---------------------------------------------------------------------
--- runtime_tools-1.15.1 --------------------------------------------
---------------------------------------------------------------------
The runtime_tools-1.15.1 application can be applied independently of
other applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16787 Application(s): runtime_tools
Related Id(s): PR-2673
Fixed a crash in appmon_info triggered by trying to
read port info from a port that was in the process of
terminating.
appmon_info is used by observer to get information from
the observed node.
Full runtime dependencies of runtime_tools-1.15.1: erts-11.0,
kernel-7.0, mnesia-4.12, stdlib-3.13
---------------------------------------------------------------------
--- sasl-4.0.1 ------------------------------------------------------
---------------------------------------------------------------------
The sasl-4.0.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16744 Application(s): sasl
Related Id(s): ERL-1247, PR-2666
Make release_handler more resilient against exiting
processes during upgrade.
Full runtime dependencies of sasl-4.0.1: erts-10.2, kernel-5.3,
stdlib-3.4, tools-2.6.14
---------------------------------------------------------------------
--- snmp-5.6.1 ------------------------------------------------------
---------------------------------------------------------------------
The snmp-5.6.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-15130 Application(s): snmp
Related Id(s): ERIERL-524, OTP-16541
For agent fix PrivParams for SNMPv3 USM with AES
privacy, as earlier fixed for the manager in OTP_16541.
OTP-15767 Application(s): snmp
Related Id(s): ERIERL-523
The SNMP Agent missed to re-activate datagram reception
in an odd timeout case and went deaf. This bug has been
fixed.
OTP-16716 Application(s): snmp
Use of deprecated functions in example 2 has been
removed (no more compiler warnings).
OTP-16760 Application(s): snmp
Related Id(s): ERIERL-511
A file descriptor leak has been plugged. When calling
the reconfigure function of a mib, it opened the config
file(s) but never closed them on successful read.
Full runtime dependencies of snmp-5.6.1: crypto-3.3, erts-6.0,
kernel-3.0, mnesia-4.12, runtime_tools-1.8.14, stdlib-2.5
---------------------------------------------------------------------
--- ssh-4.10.1 ------------------------------------------------------
---------------------------------------------------------------------
The ssh-4.10.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16761 Application(s): ssh
Related Id(s): PR-2679
Fixed a bug when a message to ssh-agent was divided
into separate packets.
OTP-16791 Application(s): ssh
Related Id(s): ERIERL-520
Fix a bug that could crash the cli server if a too
large cli-window was requested from the client.
--- Improvements and New Features ---
OTP-14106 Application(s): ssh
Increased test coverage.
OTP-16411 Application(s): ssh
A chapter about hardening the OTP SSH is added to the
User's Guide.
OTP-16774 Application(s): crypto, ssh
The internal Diffie-Hellman high level API for key
generation was slow in old and by OpenSSL now
unsupported cryptolib versions (1.0.1 and earlier).
If such a cryptolib is used anyhow, the low-level API
is used internally in the crypto application.
OTP-16803 Application(s): ssh
A new timeout is defined for daemons: hello_timeout.
The timeout is supposed to be used as a simple DoS
attack protection. It closes an incoming TCP-connection
if no valid first SSH message is received from the
client within the timeout limit after the TCP initial
connection setup.
The initial value is 30s by compatibility reasons, but
could be lowered if needed, for example in the code or
in a config file.
Full runtime dependencies of ssh-4.10.1: crypto-4.6.4, erts-9.0,
kernel-5.3, public_key-1.6.1, stdlib-3.4.1
---------------------------------------------------------------------
--- ssl-10.1 --------------------------------------------------------
---------------------------------------------------------------------
The ssl-10.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16697 Application(s): ssl
Related Id(s): ERIERL-496
If a passive socket is created, ssl:recv/2,3 is never
called and then the peer closes the socket the
controlling process will no longer receive an active
close message.
OTP-16764 Application(s): ssl
Data deliver with ssl:recv/2,3 could fail for when
using packet mode. This has been fixed by correcting
the flow control handling of passive sockets when
packet mode is used.
OTP-16765 Application(s): ssl
This change fixes a potential man-in-the-middle
vulnerability when the ssl client is configured to
automatically handle session tickets ({session_tickets,
auto}).
OTP-16767 Application(s): ssl
Related Id(s): ERIERL-512
Fix the internal handling of options 'verify' and
'verify_fun'.
This change fixes a vulnerability when setting the ssl
option 'verify' to verify_peer in a continued handshake
won't take any effect resulting in the acceptance of
expired peer certificates.
OTP-16776 Application(s): ssl
Related Id(s): ERL-1316
This change fixes the handling of stateless session
tickets when anti-replay is enabled.
OTP-16777 Application(s): ssl
Related Id(s): ERL-1317
Fix a crash due to the faulty handling of stateful
session tickets received by servers expecting stateless
session tickets.
This change also improves the handling of
faulty/invalid tickets.
OTP-16837 Application(s): ssl
Related Id(s): ERL-1319, OTP-16764
Correct flow ctrl checks from OTP-16764 to work as
intended. Probably will not have a noticeable affect
but will make connections more well behaved under some
circumstances.
OTP-16851 Application(s): ssl
Related Id(s): PR-2703
Distribution over TLS could exhibit livelock-like
behaviour when there is a constant stream of
distribution messages. Distribution data is now chunked
every 16 Mb to avoid that.
--- Improvements and New Features ---
OTP-15855 Application(s): ssl
Implement the cookie extension for TLS 1.3.
OTP-16448 Application(s): public_key, ssl
Experimental OCSP client support.
OTP-16802 Application(s): ssl
Related Id(s): ERIERL-516
TLS 1.0 -TLS-1.2 sessions tables now have a absolute
max value instead of using a shrinking mechanism when
reaching the limit. To avoid out of memory problems
under heavy load situations. Note that this change
infers that implementations of ssl_session_cache_api
needs to implement the size function (introduce in OTP
19) for session reuse to be optimally utilized.
Full runtime dependencies of ssl-10.1: crypto-4.2, erts-10.0,
inets-5.10.7, kernel-6.0, public_key-1.8, stdlib-3.5
---------------------------------------------------------------------
--- stdlib-3.13.2 ---------------------------------------------------
---------------------------------------------------------------------
The stdlib-3.13.2 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16655 Application(s): stdlib
The functions digraph:in_edges/2 and
digraph:out_edges/2 would return false edges if called
for a vertex that had a '_' atom in its name term.
OTP-16700 Application(s): stdlib
filelib:wildcard("not-a-directory/..") should return an
empty list. On Windows it returned
"not-a-directory/..".
OTP-16739 Application(s): stdlib
Fix the typespec of shell_docs:render to use the
correct type for an MFA.
OTP-16751 Application(s): stdlib
Related Id(s): ERL-1283
Fix uri_string:recompose/1 when host is present but
input path is not absolute.
This change prevents the recompose operation to change
the top level domain of the host when the path does not
start with a slash.
OTP-16816 Application(s): stdlib
Related Id(s): ERL-1310
The epp module would return a badly formed error term
when an 'if' preprocessor directive referenced an
undefined symbol. epp:format_error/1 would crash when
called with the bad error term.
OTP-16830 Application(s): stdlib
Related Id(s): ERL-1334, PR-2718
lists:sublist(List, Start, Len) failed with an
exception if Start > length(List) + 1 even though it is
explicitly documented that "It is not an error for
Start+Len to exceed the length of the list".
Full runtime dependencies of stdlib-3.13.2: compiler-5.0, crypto-3.3,
erts-11.0, kernel-7.0, sasl-3.0
---------------------------------------------------------------------
--- syntax_tools-2.3.1 ----------------------------------------------
---------------------------------------------------------------------
The syntax_tools-2.3.1 application can be applied independently of
other applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16732 Application(s): syntax_tools
Related Id(s): PR-2659
Minor documentation fix of erl_syntax:operator/1.
Full runtime dependencies of syntax_tools-2.3.1: compiler-7.0,
erts-9.0, kernel-5.0, stdlib-3.4
---------------------------------------------------------------------
--- tools-3.4.1 -----------------------------------------------------
---------------------------------------------------------------------
The tools-3.4.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-16854 Application(s): tools
Related Id(s): PR-2750
Correct the Xref analysis locals_not_used to find
functions called exclusively from on_load functions.
Full runtime dependencies of tools-3.4.1: compiler-5.0, erts-11.0,
erts-9.1, kernel-5.4, runtime_tools-1.8.14, stdlib-3.4
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------