Skip to content

OTP 29.0.2

Choose a tag to compare

View all tags
@github-actions github-actions released this 10 Jun 09:16
· 324 commits to master since this release
OTP-29.0.2
36b336d 
Patch Package:           OTP 29.0.2
Git Tag:                 OTP-29.0.2
Date:                    2026-06-10
Trouble Report Id:       OTP-20057, OTP-20149, OTP-20150, OTP-20151,
                         OTP-20153, OTP-20154, OTP-20155, OTP-20156,
                         OTP-20160, OTP-20161, OTP-20162, OTP-20163,
                         OTP-20165, OTP-20166, OTP-20170, OTP-20172,
                         OTP-20174, OTP-20178, OTP-20181
Seq num:                 CVE-2026-48855, CVE-2026-48856,
                         CVE-2026-48858, CVE-2026-48859,
                         CVE-2026-48860, CVE-2026-49759,
                         CVE-2026-49760, GH-11104, GH-11105, GH-11152,
                         GH-SA-24cv-hwgr-37fq, GH-SA-3w6p-vwhf-wvp4,
                         GH-SA-6f4f-chj5-5g97, GH-SA-gp7x-mfv6-52cv,
                         GH-SA-m75x-4vwg-ggjh, GH-SA-pv7g-pjrq-x2fh,
                         GH-SA-xcxj-5pg2-v72j, PR-11141, PR-11145,
                         PR-11146, PR-11148, PR-11154, PR-11157,
                         PR-11168, PR-11181, PR-11186, PR-11192,
                         PR-11193, PR-11195, PR-11199, PR-11205,
                         PR-11212, PR-1234, PR-27384
System:                  OTP
Release:                 29
Application:             dialyzer-6.0.1, diameter-2.7.1,
                         erl_interface-5.8.1, erts-17.0.2, ftp-1.2.6,
                         inets-9.7.1, kernel-11.0.2, mnesia-4.26.1,
                         public_key-1.21.2, ssh-6.0.1, ssl-11.7.2,
                         stdlib-8.0.1, tools-4.2.1
Predecessor:             OTP 29.0.1

Check out the git tag OTP-29.0.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

dialyzer-6.0.1

The dialyzer-6.0.1 application can be applied independently of other applications on a full OTP 29 installation.

Fixed Bugs and Malfunctions

  • Fix native record bugs in Dialyzer

    Own Id: OTP-20178
    Related Id(s): PR-11199

Full runtime dependencies of dialyzer-6.0.1

compiler-10.0, erts-12.0, kernel-8.0, stdlib-5.0, syntax_tools-2.0

diameter-2.7.1

The diameter-2.7.1 application can be applied independently of other applications on a full OTP 29 installation.

Fixed Bugs and Malfunctions

  • Fixed return value documentation of diameter:service_info(SvcName, statistics)

    Own Id: OTP-20150
    Related Id(s): GH-11105, PR-11146

Full runtime dependencies of diameter-2.7.1

erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0

erl_interface-5.8.1

The erl_interface-5.8.1 application can be applied independently of other applications on a full OTP 29 installation.

Fixed Bugs and Malfunctions

erts-17.0.2

The erts-17.0.2 application can be applied independently of other applications on a full OTP 29 installation.

Fixed Bugs and Malfunctions

  • A buffer overflow error when parsing SCTP ERROR or ABORT chunks has been fixed.

    This could lead to stack corruption and VM crash, but ultimately with hard work by an attacker be refined into maybe even remote code execution.

    Own Id: OTP-20165
    Related Id(s): GH-SA-6f4f-chj5-5g97, PR-1234, CVE-2026-49759

Full runtime dependencies of erts-17.0.2

kernel-9.0, sasl-3.3, stdlib-4.1

ftp-1.2.6

The ftp-1.2.6 application can be applied independently of other applications on a full OTP 29 installation.

Fixed Bugs and Malfunctions

  • FTP client default connections that use the so called passive mode of FTP fails to properly validating the response IP of the server, hence a malicious or compromised FTP server could redirect the data connection to an arbitrary host, enabling s server-side request forgery (SSRF) and FTP bounce attacks.

    Own Id: OTP-20166
    Related Id(s): GH-SA-24cv-hwgr-37fq, PR-11186, CVE-2026-48858

Full runtime dependencies of ftp-1.2.6

erts-7.0, kernel-6.0, runtime_tools-1.15.1, ssl-10.2, stdlib-3.5

inets-9.7.1

The inets-9.7.1 application can be applied independently of other applications on a full OTP 29 installation.

Fixed Bugs and Malfunctions

  • The HTTP client (httpc) now removes Authorization, Proxy-Authorization, Cookie, Referer, and Origin headers when following a redirect to a different host or port. Previously these headers were forwarded verbatim, potentially leaking credentials to unintended targets.

    This follows the requirements of RFC 9110 §15.4.

    Own Id: OTP-20155
    Related Id(s): GH-SA-m75x-4vwg-ggjh, PR-11212, CVE-2026-48856

Full runtime dependencies of inets-9.7.1

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

kernel-11.0.2

The kernel-11.0.2 application can be applied independently of other applications on a full OTP 29 installation.

Fixed Bugs and Malfunctions

  • gen_tcp_socket accept should explicitly inherit the same options as plain gen_tcp.

    Own Id: OTP-20057

Full runtime dependencies of kernel-11.0.2

crypto-5.8, erts-17.0, sasl-3.0, stdlib-8.0

mnesia-4.26.1

The mnesia-4.26.1 application can be applied independently of other applications on a full OTP 29 installation.

Fixed Bugs and Malfunctions

  • Fixed docs of mnesia:write/3 to clarify when a transaction can terminate.

    Own Id: OTP-20149
    Related Id(s): GH-11104, PR-11145

Full runtime dependencies of mnesia-4.26.1

erts-9.0, kernel-5.3, stdlib-5.0

public_key-1.21.2

The public_key-1.21.2 application can be applied independently of other applications on a full OTP 29 installation.

Fixed Bugs and Malfunctions

  • Add missing macro reference for legacy algorithms md5 and sha224. This mainly improves error handling.

    Own Id: OTP-20172
    Related Id(s): PR-11195

Full runtime dependencies of public_key-1.21.2

asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0

ssh-6.0.1

The ssh-6.0.1 application can be applied independently of other applications on a full OTP 29 installation.

Fixed Bugs and Malfunctions

  • Fixed a timing-based username enumeration vulnerability during password authentication with the user_passwords option. A dummy PBKDF2 computation is now performed for invalid usernames to match the response time of valid ones.

    Own Id: OTP-20153
    Related Id(s): GH-SA-3w6p-vwhf-wvp4, PR-11157, CVE-2026-48859

  • Fixed SSH_FXP_READLINK handler in ssh_sftpd to strip the backend root prefix from symlink targets before returning them to the client, preventing disclosure of the server's absolute filesystem path when the root option is configured.

    Own Id: OTP-20162
    Related Id(s): GH-SA-pv7g-pjrq-x2fh, PR-11192, CVE-2026-48855

  • Fixed a race condition where SSH keep-alive responses could consume pending channel open requests, causing channel setup to fail silently.

    Own Id: OTP-20181
    Related Id(s): PR-11205

Full runtime dependencies of ssh-6.0.1

crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-8.0

ssl-11.7.2

Note! The ssl-11.7.2 application cannot be applied independently of other applications on an arbitrary OTP 29 installation.

   On a full OTP 29 installation, also the following runtime
   dependency has to be satisfied:
   -- public_key-1.21.1 (first satisfied in OTP 29.0.1)

Fixed Bugs and Malfunctions

  • Fix miscellanies issues that could cause unnecessary memory consumption and in some less common scenarios or configurations cause connection failures.

    Own Id: OTP-20154
    Related Id(s): PR-11148

  • Erlang distribution over TLS run with the kernel 'check_ip' flag now properly enforce connecting nodes to be on the same LAN.

    Own Id: OTP-20156
    Related Id(s): GH-SA-gp7x-mfv6-52cv, PR-11181, CVE-2026-48860

  • Enhance error message, by fixing typo of atom in new error message related to `public_key` CVE-2026-42790 solution.

    Own Id: OTP-20161
    Related Id(s): PR-11148

  • Corrected SNI handling for TLS-1.3 only server, could cause connection failures if supported signature algorithms where changed by SNI option update.

    Own Id: OTP-20174
    Related Id(s): PR-27384

Full runtime dependencies of ssl-11.7.2

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.21.1, runtime_tools-1.15.1, stdlib-7.0

stdlib-8.0.1

The stdlib-8.0.1 application can be applied independently of other applications on a full OTP 29 installation.

Fixed Bugs and Malfunctions

  • Fix a bug where a tuple record operation within a native record anonymous update can crash.

    Own Id: OTP-20151
    Related Id(s): PR-11141

  • Fixed some bugs in io_lib:bformat/2 and native record printing.

    Own Id: OTP-20170
    Related Id(s): PR-11154

Full runtime dependencies of stdlib-8.0.1

compiler-5.0, crypto-4.5, erts-16.0.3, kernel-11.0, sasl-3.0, syntax_tools-3.2.1

tools-4.2.1

The tools-4.2.1 application can be applied independently of other applications on a full OTP 29 installation.

Fixed Bugs and Malfunctions

  • Xref could crash instead of returning an appropriate error tuple when asked to open a BEAM file without debug information but with a moduledoc(false) attribute.

    Own Id: OTP-20163
    Related Id(s): GH-11152, PR-11168

Full runtime dependencies of tools-4.2.1

compiler-8.5, crypto-5.9, erts-15.0, kernel-10.0, public_key-1.21, runtime_tools-2.1, stdlib-6.0

Thanks to

John Downey, Jonatan Männchen

Assets 16
Loading