Skip to content

Update dependency erlang to v28.0.4 #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 14, 2025
Merged

Update dependency erlang to v28.0.4 #160

merged 1 commit into from
Sep 14, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 10, 2025
edited
Loading

This PR contains the following updates:

Package Update Change
erlang patch 28.0.2 -> 28.0.4

Release Notes

erlang/otp (erlang)

v28.0.4: OTP 28.0.4

Compare Source

Patch Package:           OTP 28.0.4
Git Tag:                 OTP-28.0.4
Date:                    2025-09-11
Trouble Report Id:       OTP-19729
Seq num:                 CVE-2016-1000107, GH-3392, PR-6223
System:                  OTP
Release:                 28
Application:             inets-9.4.1
Predecessor:             OTP 28.0.3

Check out the git tag OTP-28.0.4, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

inets-9.4.1

The inets-9.4.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

  • Fixed a bug where a request sent to httpd server which is using CGI script to generate a response, would pollute server's environment variable - HTTP_PROXY for that request. This bug is also known as httpoxy. More information: CVE-2016-1000107

    Own Id: OTP-19729
    Related Id(s): GH-3392, PR-6223, CVE-2016-1000107

Full runtime dependencies of inets-9.4.1

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

Thanks to

Marcel Lanz

v28.0.3: OTP 28.0.3

Compare Source

Patch Package:           OTP 28.0.3
Git Tag:                 OTP-28.0.3
Date:                    2025-09-10
Trouble Report Id:       OTP-19701, OTP-19741, OTP-19742, OTP-19748,
                         OTP-19753, OTP-19755, OTP-19761
Seq num:                 CVE-2025-48038, CVE-2025-48039,
                         CVE-2025-48040, CVE-2025-48041,
                         CVE-2025-58050, PR-10155, PR-10156, PR-10157,
                         PR-10162, PR-19755, PR-9815
System:                  OTP
Release:                 28
Application:             diameter-2.5.1, erts-16.0.3, ssh-5.3.3,
                         stdlib-7.0.3
Predecessor:             OTP 28.0.2

Check out the git tag OTP-28.0.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

POTENTIAL INCOMPATIBILITIES

  • Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

    Own Id: OTP-19701
    Application(s): ssh
    Related Id(s): PR-10157, CVE-2025-48041

  • Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

    Own Id: OTP-19741
    Application(s): ssh
    Related Id(s): PR-10162, CVE-2025-48040

  • A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

    Own Id: OTP-19742
    Application(s): ssh
    Related Id(s): PR-10155, CVE-2025-48039

  • Reject file handles exceeding size specified in RFCs (256 bytes).

    Own Id: OTP-19748
    Application(s): ssh
    Related Id(s): PR-10156, CVE-2025-48038

diameter-2.5.1

The diameter-2.5.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

  • With this change message_cb callback will be called with updated state for processing 'ack' after 'send'.

    Own Id: OTP-19753
    Related Id(s): PR-9815

Full runtime dependencies of diameter-2.5.1

erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0

erts-16.0.3

The erts-16.0.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

  • Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on regular expressions with (*scs:) and (*ACCEPT) syntax combined.

    Own Id: OTP-19755
    Related Id(s): CVE-2025-58050

  • Fixed bug that could cause crash in beam started with erl -emu_type debug +JPperf true with any type of tracing return from function.

    Own Id: OTP-19761
    Related Id(s): PR-19755

Full runtime dependencies of erts-16.0.3

kernel-9.0, sasl-3.3, stdlib-4.1

ssh-5.3.3

The ssh-5.3.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

  • Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

    Own Id: OTP-19701
    Related Id(s): PR-10157, CVE-2025-48041

    *** POTENTIAL INCOMPATIBILITY ***

  • Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

    Own Id: OTP-19741
    Related Id(s): PR-10162, CVE-2025-48040

    *** POTENTIAL INCOMPATIBILITY ***

  • A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

    Own Id: OTP-19742
    Related Id(s): PR-10155, CVE-2025-48039

    *** POTENTIAL INCOMPATIBILITY ***

  • Reject file handles exceeding size specified in RFCs (256 bytes).

    Own Id: OTP-19748
    Related Id(s): PR-10156, CVE-2025-48038

    *** POTENTIAL INCOMPATIBILITY ***

Full runtime dependencies of ssh-5.3.3

crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

stdlib-7.0.3

Note! The stdlib-7.0.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- erts-16.0.3 (first satisfied in OTP 28.0.3)

Fixed Bugs and Malfunctions

  • Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on regular expressions with (*scs:) and (*ACCEPT) syntax combined.

    Own Id: OTP-19755
    Related Id(s): CVE-2025-58050

Full runtime dependencies of stdlib-7.0.3

compiler-5.0, crypto-4.5, erts-16.0.3, kernel-10.0, sasl-3.0, syntax_tools-3.2.1

Thanks to

Alberto Sartori

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency erlang to v28.0.3 Update dependency erlang to v28.0.4 Sep 11, 2025
@renovate renovate bot force-pushed the renovate/erlang-28.x branch from b515689 to f3ab5ba Compare September 11, 2025 14:10
@maennchen maennchen merged commit ee7e880 into main Sep 14, 2025
10 of 16 checks passed
@maennchen maennchen deleted the renovate/erlang-28.x branch September 14, 2025 10:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@maennchen