Releases: erlang/otp
OTP 27.3.4.1
Patch Package: OTP 27.3.4.1
Git Tag: OTP-27.3.4.1
Date: 2025-06-16
Trouble Report Id: OTP-19634, OTP-19635, OTP-19637, OTP-19638,
OTP-19640, OTP-19646, OTP-19647, OTP-19649,
OTP-19653, OTP-19658, OTP-19659, OTP-19662,
OTP-19667, OTP-19676
Seq num: CVE-2025-4748, ERIERL-1225, ERIERL-1235,
GH-6463, GH-9102, GH-9722, GH-9771, GH-9816,
GH-9841, GH-9875, PR-9103, PR-9691, PR-9838,
PR-9846, PR-9849, PR-9859, PR-9876, PR-9896,
PR-9897, PR-9898, PR-9905, PR-9912, PR-9941
System: OTP
Release: 27
Application: asn1-5.3.4.1, eldap-1.2.14.1,
kernel-10.2.7.1, ssh-5.2.11.1, ssl-11.2.12.1,
stdlib-6.2.2.1, xmerl-2.1.3.1
Predecessor: OTP 27.3.4
Check out the git tag OTP-27.3.4.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
OTP-27.3.4.1
Fixed Bugs and Malfunctions
-
Disable warnings as error for
ex_docwhen any Erlang/OTP application has been disabled by configure.
asn1-5.3.4.1
The asn1-5.3.4.1 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
The ASN.1 compiler could generate code that would cause Dialyzer with the
unmatched_returnsoption to emit warnings.
Full runtime dependencies of asn1-5.3.4.1
erts-14.0, kernel-9.0, stdlib-5.0
eldap-1.2.14.1
The eldap-1.2.14.1 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
With this change eldap's 'not' function will have specs fixed.
Own Id: OTP-19658
Related Id(s): PR-9859
Full runtime dependencies of eldap-1.2.14.1
asn1-3.0, erts-6.0, kernel-3.0, ssl-5.3.4, stdlib-3.4
kernel-10.2.7.1
Note! The kernel-10.2.7.1 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.
On a full OTP 27 installation, also the following runtime
dependency has to be satisfied:
-- erts-15.2.5 (first satisfied in OTP 27.3.2)
Fixed Bugs and Malfunctions
-
A remote shell can now exit by closing the input stream, without terminating the remote node.
Own Id: OTP-19667
Related Id(s): PR-9912
Improvements and New Features
-
Document default buffer sizes
Own Id: OTP-19640
Related Id(s): GH-9722
Full runtime dependencies of kernel-10.2.7.1
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0
ssh-5.2.11.1
The ssh-5.2.11.1 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Various channel closing robustness improvements. Avoid crashes when channel handling process closes channel and immediately exits. Avoid breaking the protocol by sending duplicated channel-close messages. Cleanup channels which timeout during closing procedure.
-
Improved interoperability with clients acting as Paramiko.
Full runtime dependencies of ssh-5.2.11.1
crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0
ssl-11.2.12.1
Note! The ssl-11.2.12.1 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.
On a full OTP 27 installation, also the following runtime
dependency has to be satisfied:
-- public_key-1.16.4 (first satisfied in OTP 27.1.3)
Fixed Bugs and Malfunctions
-
hs_keylog callback properly handle alert in initial states, where encryption is not yet used. Also add keylog callback invocation for corner-case where server alert is encrypted with application secrets as client is already in connection state.
Own Id: OTP-19635
Related Id(s): ERIERL-1235, PR-9849
Improvements and New Features
-
The documentation for SSL option
verify_funhas been improved.Own Id: OTP-19676
Related Id(s): PR-9691
Full runtime dependencies of ssl-11.2.12.1
crypto-5.0, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.16.4, runtime_tools-1.15.1, stdlib-6.0
stdlib-6.2.2.1
The stdlib-6.2.2.1 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
The
save_module/1command in the shell now saves both the locally defined records and the imported records using therr/1command. -
It's now possible to write
lists:map(fun is_atom/1, [])orlists:map(fun my_func/1, []), in the shell, instead oflists:map(fun erlang:is_atom/1, [])orlists:map(fun shell_default:my_func/1, []). -
Properly strip the leading
/and drive letter from filepaths when zipping and unzipping archives.Thanks to Wander Nauta for finding and responsibly disclosing this vulnerability to the Erlang/OTP project.
Own Id: OTP-19653
Related Id(s): PR-9941, CVE-2025-4748 -
Shell no longer crashes when requesting to autocomplete map keys containing non-atoms.
Own Id: OTP-19659
Related Id(s): PR-9896 -
A remote shell can now exit by closing the input stream, without terminating the remote node.
Own Id: OTP-19667
Related Id(s): PR-9912
Full runtime dependencies of stdlib-6.2.2.1
compiler-5.0, crypto-4.5, erts-15.0, kernel-10.0, sasl-3.0
xmerl-2.1.3.1
The xmerl-2.1.3.1 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
The type specs of
xmerl_scan:file/2andxmerl_scan:string/2has been updated to returndynamic/0. Due to hook functions they can return any user defined term.Own Id: OTP-19662
Related Id(s): ERIERL-1225, PR-9905
Full runtime dependencies of xmerl-2.1.3.1
erts-6.0, kernel-8.4, stdlib-2.5
Thanks to
Dan Janowski, Ilya Averyanov, Yaroslav Maslennikov
OTP 26.2.5.13
Patch Package: OTP 26.2.5.13
Git Tag: OTP-26.2.5.13
Date: 2025-06-16
Trouble Report Id: OTP-19634, OTP-19637, OTP-19638, OTP-19649,
OTP-19653, OTP-19667
Seq num: CVE-2025-4748, GH-6463, GH-9102, GH-9771,
GH-9841, PR-9103, PR-9838, PR-9846, PR-9898,
PR-9912, PR-9941
System: OTP
Release: 26
Application: asn1-5.2.2.1, kernel-9.2.4.9, ssh-5.1.4.10,
stdlib-5.2.3.4
Predecessor: OTP 26.2.5.12
Check out the git tag OTP-26.2.5.13, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- asn1-5.2.2.1 ----------------------------------------------------
---------------------------------------------------------------------
The asn1-5.2.2.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19638 Application(s): asn1
Related Id(s): GH-9841, PR-9846
The ASN.1 compiler could generate code that would cause
Dialyzer with the unmatched_returns option to emit
warnings.
Full runtime dependencies of asn1-5.2.2.1: erts-11.0, kernel-7.0,
stdlib-3.13
---------------------------------------------------------------------
--- kernel-9.2.4.9 --------------------------------------------------
---------------------------------------------------------------------
The kernel-9.2.4.9 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19667 Application(s): kernel, stdlib
Related Id(s): PR-9912
A remote shell can now exit by closing the input
stream, without terminating the remote node.
Full runtime dependencies of kernel-9.2.4.9: crypto-5.0, erts-14.0,
sasl-3.0, stdlib-5.0
---------------------------------------------------------------------
--- ssh-5.1.4.10 ----------------------------------------------------
---------------------------------------------------------------------
The ssh-5.1.4.10 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19634 Application(s): ssh
Related Id(s): GH-9102, PR-9103
Various channel closing robustness improvements. Avoid
crashes when channel handling process closes channel
and immediately exits. Avoid breaking the protocol by
sending duplicated channel-close messages. Cleanup
channels which timeout during closing procedure.
OTP-19637 Application(s): ssh
Related Id(s): GH-6463, PR-9838
Improved interoperability with clients acting as
Paramiko.
Full runtime dependencies of ssh-5.1.4.10: crypto-5.0, erts-14.0,
kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0,
stdlib-5.0
---------------------------------------------------------------------
--- stdlib-5.2.3.4 --------------------------------------------------
---------------------------------------------------------------------
The stdlib-5.2.3.4 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19649 Application(s): stdlib
Related Id(s): GH-9771, PR-9898
It's now possible to write lists:map(fun is_atom/1, [])
or lists:map(fun my_func/1, []), in the shell, instead
of lists:map(fun erlang:is_atom/1, []) or lists:map(fun
shell_default:my_func/1, []).
OTP-19653 Application(s): stdlib
Related Id(s): PR-9941, CVE-2025-4748
Properly strip the leading / and drive letter from
filepaths when zipping and unzipping archives.
Thanks to Wander Nauta for finding and responsibly
disclosing this vulnerability to the Erlang/OTP
project.
OTP-19667 Application(s): kernel, stdlib
Related Id(s): PR-9912
A remote shell can now exit by closing the input
stream, without terminating the remote node.
Full runtime dependencies of stdlib-5.2.3.4: compiler-5.0,
crypto-4.5, erts-13.1, kernel-9.0, sasl-3.0
---------------------------------------------------------------------
--- Thanks to -------------------------------------------------------
---------------------------------------------------------------------
Yaroslav Maslennikov
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
OTP 28.0.1
Patch Package: OTP 28.0.1
Git Tag: OTP-28.0.1
Date: 2025-06-16
Trouble Report Id: OTP-19634, OTP-19635, OTP-19637, OTP-19638,
OTP-19641, OTP-19644, OTP-19645, OTP-19650,
OTP-19653, OTP-19658, OTP-19662, OTP-19665,
OTP-19675, OTP-19676
Seq num: CVE-2025-4748, ERIERL-1225, ERIERL-1235,
GH-6463, GH-9102, GH-9841, GH-9858, GH-9863,
GH-9872, PR-9103, PR-9691, PR-9838, PR-9846,
PR-9849, PR-9859, PR-9861, PR-9870, PR-9878,
PR-9880, PR-9892, PR-9905, PR-9926, PR-9941
System: OTP
Release: 28
Application: asn1-5.4.1, debugger-6.0.1, eldap-1.2.16,
erts-16.0.1, kernel-10.3.1,
public_key-1.18.1, ssh-5.3.1, ssl-11.3.1,
stdlib-7.0.1, xmerl-2.1.5
Predecessor: OTP 28.0
Check out the git tag OTP-28.0.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
asn1-5.4.1
The asn1-5.4.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
The ASN.1 compiler could generate code that would cause Dialyzer with the
unmatched_returnsoption to emit warnings.
Full runtime dependencies of asn1-5.4.1
erts-14.0, kernel-9.0, stdlib-5.0
debugger-6.0.1
The debugger-6.0.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Restore deleted icon so that debugger does not crash on startup.
Full runtime dependencies of debugger-6.0.1
compiler-8.0, erts-15.0, kernel-10.0, stdlib-7.0, wx-2.0
eldap-1.2.16
The eldap-1.2.16 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
With this change eldap's 'not' function will have specs fixed.
Own Id: OTP-19658 Related Id(s): PR-9859
Full runtime dependencies of eldap-1.2.16
asn1-3.0, erts-6.0, kernel-3.0, ssl-5.3.4, stdlib-3.4
erts-16.0.1
The erts-16.0.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fix Erlang to not crash when io:standard_error/0 is a terminal but io:standard_io/0 is not. This bug has existed since Erlang/OTP 28.0 and only effects Windows.
-
In a debug build, the BIFs for the native debugger could cause a lock order violation diagnostic from the lock checker.
Own Id: OTP-19665 Related Id(s): PR-9926
-
When building ERTS make sure correct
pcre2.hfile is included even if CFLAGS contains extra include paths.Own Id: OTP-19675 Related Id(s): PR-9892
Full runtime dependencies of erts-16.0.1
kernel-9.0, sasl-3.3, stdlib-4.1
kernel-10.3.1
The kernel-10.3.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fix bug where calling io:setopts/1 in a shell without the
line_historyoption would always disableline_history. This bug was introduced in Erlang/OTP 28.0.
Full runtime dependencies of kernel-10.3.1
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0
public_key-1.18.1
The public_key-1.18.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Add back some ASN-1 macros and definitions that should be included in API.
Own Id: OTP-19644 Related Id(s): PR-9880
Full runtime dependencies of public_key-1.18.1
asn1-5.0, crypto-5.0, erts-13.0, kernel-8.0, stdlib-4.0
ssh-5.3.1
The ssh-5.3.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Various channel closing robustness improvements. Avoid crashes when channel handling process closes channel and immediately exits. Avoid breaking the protocol by sending duplicated channel-close messages. Cleanup channels which timeout during closing procedure.
-
Improved interoperability with clients acting as Paramiko.
Full runtime dependencies of ssh-5.3.1
crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0
ssl-11.3.1
The ssl-11.3.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
hs_keylog callback properly handle alert in initial states, where encryption is not yet used. Also add keylog callback invocation for corner-case where server alert is encrypted with application secrets as client is already in connection state.
Own Id: OTP-19635 Related Id(s): ERIERL-1235, PR-9849
Improvements and New Features
-
The documentation for SSL option
verify_funhas been improved.Own Id: OTP-19676 Related Id(s): PR-9691
Full runtime dependencies of ssl-11.3.1
crypto-5.6, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.16.4, runtime_tools-1.15.1, stdlib-7.0
stdlib-7.0.1
The stdlib-7.0.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Properly strip the leading
/and drive letter from filepaths when zipping and unzipping archives.Thanks to Wander Nauta for finding and responsibly disclosing this vulnerability to the Erlang/OTP project.
Own Id: OTP-19653 Related Id(s): PR-9941, CVE-2025-4748
Full runtime dependencies of stdlib-7.0.1
compiler-5.0, crypto-4.5, erts-16.0, kernel-10.0, sasl-3.0, syntax_tools-3.2.1
xmerl-2.1.5
The xmerl-2.1.5 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
The type specs of xmerl_scan:file/2 and xmerl_scan:string/2 has been updated to return
dynamic/0. Due to hook functions they can return any user defined term.Own Id: OTP-19662 Related Id(s): ERIERL-1225, PR-9905
Full runtime dependencies of xmerl-2.1.5
erts-6.0, kernel-8.4, stdlib-2.5
Thanks to
Dan Janowski, Ilya Averyanov, Mikael Pettersson, Yaroslav Maslennikov
OTP 28.0
OTP 28.0
Erlang/OTP 28 is a new major release with new features, improvements as well as a few incompatibilities. Some of the new features are highlighted below.
Many thanks to all contributors!
Starting with this release, a source Software Bill of Materials (SBOM) will describe the release on the Github Releases page. We welcome feedback on the SBOM.
New language features
-
Functionality making it possible for processes to enable reception of priority messages has been introduced in accordance with EEP 76.
-
Comprehensions have been extended with "zip generators" allowing multiple generators to be run in parallel. For example,
[A+B || A <- [1,2,3] && B <- [4,5,6]]will produce[5,7,9]. -
Generators in comprehensions can now be strict, meaning that if the generator pattern does not match, an exception will be raised instead of silently ignore the value that didn't match.
-
It is now possible to use any base for floating point numbers as per EEP 75: Based Floating Point Literals.
Compiler and JIT improvements
-
For certain types of errors, the compiler can now suggest corrections. For example, when attempting to use variable
Athat is not defined butA0is, the compiler could emit the following message:variable 'A' is unbound, did you mean 'A0'? -
The size of an atom in the Erlang source code was limited to 255 bytes in previous releases, meaning that an atom containing only emojis could contain only 63 emojis. While atoms are still only allowed to contain 255 characters, the number of bytes is no longer limited.
-
The
warn_deprecated_catchoption enables warnings for use of old-style catch expressions on the formcatch Exprinstead of the moderntry...catch...end. -
Provided that the map argument for a
maps:put/3call is known to the compiler to be a map, the compiler will replace such calls with the corresponding update using the map syntax. -
Some BIFs with side-effects (such as
binary_to_atom/1) are optimized intry...catchin the same way as guard BIFs in order to gain performance. -
The compiler’s alias analysis pass is now both faster and less conservative, allowing optimizations of records and binary construction to be applied in more cases.
ERTS
-
The
trace:system/3function has been added. It has a similar interface aserlang:system_monitor/2but it also supports trace sessions. -
os:set_signal/2now supports setting handlers for theSIGWINCH,SIGCONT, andSIGINFOsignals. -
The two new BIFs
erlang:processes_iterator/0anderlang:process_next/1make it possible to iterate over the process table in a way that scales better thanerlang:processes/0.
Shell and terminal
-
The erl -noshell mode has been updated to have two sub modes called
rawandcooked, wherecookedis the old default behaviour andrawcan be used to bypass the line-editing support of the native terminal. Usingrawmode it is possible to read keystrokes as they occur without the user having to press Enter. Also, therawmode does not echo the typed characters to stdout. -
The shell now prints a help message explaining how to interrupt a running command when stuck executing a command for longer than 5 seconds.
STDLIB
-
The
join(Binaries, Separator)function that joins a list of binaries has been added to thebinarymodule. -
By default, sets created by module
setswill now be represented as maps. -
Module
rehas been updated to use the newer PCRE2 library instead of the PCRE library. -
There is a new
zstdmodule that does Zstandard compression.
Public_key
- The ancient ASN.1 modules used in
public_keyhas been replaced with more modern versions, but we have strived to keep the documented Erlang API for thepublic_keyapplication compatible.
Dialyzer
- EEP 69: Nominal Types has been implemented.
SSL
- The data handling for tls-v1.3 has been optimized.
Emacs mode (in the Tools application)
- The
indent-regionin Emacs command will now handle multiline strings better.
For more details about new features and potential incompatibilities see the README.
OTP 27.3.4
Patch Package: OTP 27.3.4
Git Tag: OTP-27.3.4
Date: 2025-05-08
Trouble Report Id: OTP-19577, OTP-19599, OTP-19602, OTP-19605,
OTP-19608, OTP-19625
Seq num: CVE-2025-46712, ERIERL-1220, GH-9707,
GH-9720, PR-9696, PR-9724, PR-9753, PR-9765,
PR-9767
System: OTP
Release: 27
Application: erts-15.2.7, kernel-10.2.7, ssh-5.2.11,
xmerl-2.1.3
Predecessor: OTP 27.3.3
Check out the git tag OTP-27.3.4, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
erts-15.2.7
The erts-15.2.7 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Fixed an emulator crash when setting an error_handler module that was not yet loaded.
Own Id: OTP-19577
Related Id(s): ERIERL-1220, PR-9696 -
Fixed a rare bug that could cause an emulator crash after unloading a module or erasing a persistent_term.
Own Id: OTP-19599
Related Id(s): PR-9724
Full runtime dependencies of erts-15.2.7
kernel-9.0, sasl-3.3, stdlib-4.1
kernel-10.2.7
Note! The kernel-10.2.7 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.
On a full OTP 27 installation, also the following runtime
dependency has to be satisfied:
-- erts-15.2.5 (first satisfied in OTP 27.3.2)
Fixed Bugs and Malfunctions
-
With this change, disk_log will not crash when using chunk_step/3 after log size was decreased.
-
With this change, disk_log will not run into infinite loop when using chunk/2,3 after log size was decreased.
Full runtime dependencies of kernel-10.2.7
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0
ssh-5.2.11
The ssh-5.2.11 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Fix KEX strict implementation according to draft-miller-sshm-strict-kex-01 document.
Own Id: OTP-19625
Related Id(s): CVE-2025-46712
Full runtime dependencies of ssh-5.2.11
crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0
xmerl-2.1.3
The xmerl-2.1.3 application can be applied independently of other applications on a full OTP 27 installation.
Improvements and New Features
-
A new option to discard whitespace before the
xmltag when reading from a stream has been added to the Xmerl SAX parser.{discard_ws_before_xml_document, Boolean}- Discard whitespace beforexmltag instead of returning a fatal error if set totrue(falseis default)
Own Id: OTP-19602
Related Id(s): PR-9753
Full runtime dependencies of xmerl-2.1.3
erts-6.0, kernel-8.4, stdlib-2.5
Thanks to
Lý Nhật Tâm
OTP 26.2.5.12
Patch Package: OTP 26.2.5.12
Git Tag: OTP-26.2.5.12
Date: 2025-05-08
Trouble Report Id: OTP-19577, OTP-19599, OTP-19600, OTP-19602,
OTP-19605, OTP-19608, OTP-19625
Seq num: CVE-2025-46712, ERIERL-1220, GH-9707,
GH-9715, GH-9720, PR-9696, PR-9724, PR-9737,
PR-9753, PR-9765, PR-9767
System: OTP
Release: 26
Application: compiler-8.4.3.3, erts-14.2.5.10,
kernel-9.2.4.8, ssh-5.1.4.9, xmerl-1.3.34.3
Predecessor: OTP 26.2.5.11
Check out the git tag OTP-26.2.5.12, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- compiler-8.4.3.3 ------------------------------------------------
---------------------------------------------------------------------
The compiler-8.4.3.3 application can be applied independently of
other applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19600 Application(s): compiler
Related Id(s): GH-9715, PR-9737
Fix a bug where unloaded nifs can crash the compiler.
Full runtime dependencies of compiler-8.4.3.3: crypto-5.1, erts-13.0,
kernel-8.4, stdlib-5.0
---------------------------------------------------------------------
--- erts-14.2.5.10 --------------------------------------------------
---------------------------------------------------------------------
The erts-14.2.5.10 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19577 Application(s): erts
Related Id(s): ERIERL-1220, PR-9696
Fixed an emulator crash when setting an error_handler
module that was not yet loaded.
OTP-19599 Application(s): erts
Related Id(s): PR-9724
Fixed a rare bug that could cause an emulator crash
after unloading a module or erasing a persistent_term.
Full runtime dependencies of erts-14.2.5.10: kernel-9.0, sasl-3.3,
stdlib-4.1
---------------------------------------------------------------------
--- kernel-9.2.4.8 --------------------------------------------------
---------------------------------------------------------------------
The kernel-9.2.4.8 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19605 Application(s): kernel
Related Id(s): GH-9720, PR-9765
With this change, disk_log will not crash when using
chunk_step/3 after log size was decreased.
OTP-19608 Application(s): kernel
Related Id(s): GH-9707, PR-9767
With this change, disk_log will not run into infinite
loop when using chunk/2,3 after log size was decreased.
Full runtime dependencies of kernel-9.2.4.8: crypto-5.0, erts-14.0,
sasl-3.0, stdlib-5.0
---------------------------------------------------------------------
--- ssh-5.1.4.9 -----------------------------------------------------
---------------------------------------------------------------------
The ssh-5.1.4.9 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19625 Application(s): ssh
Related Id(s): CVE-2025-46712
Fix KEX strict implementation according to
draft-miller-sshm-strict-kex-01 document.
Full runtime dependencies of ssh-5.1.4.9: crypto-5.0, erts-14.0,
kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0,
stdlib-5.0
---------------------------------------------------------------------
--- xmerl-1.3.34.3 --------------------------------------------------
---------------------------------------------------------------------
The xmerl-1.3.34.3 application can be applied independently of other
applications on a full OTP 26 installation.
--- Improvements and New Features ---
OTP-19602 Application(s): xmerl
Related Id(s): PR-9753
A new option to discard whitespace before the xml tag
when reading from a stream has been added to the Xmerl
SAX parser.
-- {discard_ws_before_xml_document, Boolean} -- Discard
whitespace before xml tag instead of returning a fatal
error if set to true (false is default)
Full runtime dependencies of xmerl-1.3.34.3: erts-6.0, kernel-8.4,
stdlib-2.5
---------------------------------------------------------------------
--- Thanks to -------------------------------------------------------
---------------------------------------------------------------------
João Henrique Ferreira de Freitas, Lý Nhật Tâm
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
OTP 25.3.2.21
Patch Package: OTP 25.3.2.21
Git Tag: OTP-25.3.2.21
Date: 2025-05-08
Trouble Report Id: OTP-19577, OTP-19599, OTP-19605, OTP-19608,
OTP-19625
Seq num: CVE-2025-46712, ERIERL-1220, GH-9707,
GH-9720, PR-9696, PR-9724, PR-9765, PR-9767
System: OTP
Release: 25
Application: erts-13.2.2.16, kernel-8.5.4.6, ssh-4.15.3.13
Predecessor: OTP 25.3.2.20
Check out the git tag OTP-25.3.2.21, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- erts-13.2.2.16 --------------------------------------------------
---------------------------------------------------------------------
Note! The erts-13.2.2.16 application *cannot* be applied
independently of other applications on an arbitrary OTP 25
installation.
On a full OTP 25 installation, also the following runtime
dependencies have to be satisfied:
-- kernel-8.5 (first satisfied in OTP 25.1)
-- stdlib-4.1 (first satisfied in OTP 25.1)
--- Fixed Bugs and Malfunctions ---
OTP-19577 Application(s): erts
Related Id(s): ERIERL-1220, PR-9696
Fixed an emulator crash when setting an error_handler
module that was not yet loaded.
OTP-19599 Application(s): erts
Related Id(s): PR-9724
Fixed a rare bug that could cause an emulator crash
after unloading a module or erasing a persistent_term.
Full runtime dependencies of erts-13.2.2.16: kernel-8.5, sasl-3.3,
stdlib-4.1
---------------------------------------------------------------------
--- kernel-8.5.4.6 --------------------------------------------------
---------------------------------------------------------------------
Note! The kernel-8.5.4.6 application *cannot* be applied
independently of other applications on an arbitrary OTP 25
installation.
On a full OTP 25 installation, also the following runtime
dependencies have to be satisfied:
-- erts-13.1.3 (first satisfied in OTP 25.2)
-- stdlib-4.1.1 (first satisfied in OTP 25.1.1)
--- Fixed Bugs and Malfunctions ---
OTP-19605 Application(s): kernel
Related Id(s): GH-9720, PR-9765
With this change, disk_log will not crash when using
chunk_step/3 after log size was decreased.
OTP-19608 Application(s): kernel
Related Id(s): GH-9707, PR-9767
With this change, disk_log will not run into infinite
loop when using chunk/2,3 after log size was decreased.
Full runtime dependencies of kernel-8.5.4.6: crypto-5.0, erts-13.1.3,
sasl-3.0, stdlib-4.1.1
---------------------------------------------------------------------
--- ssh-4.15.3.13 ---------------------------------------------------
---------------------------------------------------------------------
The ssh-4.15.3.13 application can be applied independently of other
applications on a full OTP 25 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19625 Application(s): ssh
Related Id(s): CVE-2025-46712
Fix KEX strict implementation according to
draft-miller-sshm-strict-kex-01 document.
Full runtime dependencies of ssh-4.15.3.13: crypto-5.0, erts-11.0,
kernel-6.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-3.15
---------------------------------------------------------------------
--- Thanks to -------------------------------------------------------
---------------------------------------------------------------------
João Henrique Ferreira de Freitas, Lý Nhật Tâm
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
OTP 28.0-rc4
OTP 28.0-rc4
Erlang/OTP 28.0-rc4 is the fourth release candidate before the OTP 28.0 release.
The intention with this release is to get feedback from our users. All feedback is welcome, even if it is only to say that it works for you, and that it installs as it should. We encourage users to try it out and give us feedback either by creating an issue at https://github.com/erlang/otp/issues or by posting to Erlang Forums.
All artifacts for the release can be downloaded from the Erlang/OTP Github release and you can view the new documentation at https://erlang.org/documentation/doc-16-rc4/doc. You can also install the latest release using kerl like this:
kerl build 28.0-rc4 28.0-rc4
Starting with this release, a source Software Bill of Materials (SBOM) will describe the release on the Github Releases page. We welcome feedback on the SBOM.
Erlang/OTP 28 is a new major release with new features, improvements as well as a few incompatibilities. Some of the new features are highlighted below.
Many thanks to all contributors!
Highlights for RC4
- The ancient ASN.1 modules used in
public_keyhas been replaced with more modern versions, but we have strived to keep the documented Erlang API for thepublic_keyapplication compatible.
Highlights for RC2
- Functionality making it possible for processes to enable reception of priority messages has been introduced in accordance with EEP 76.
Highlights for RC1
New language features
-
Comprehensions have been extended with "zip generators" allowing multiple generators to be run in parallel. For example,
[A+B || A <- [1,2,3] && B <- [4,5,6]]will produce[5,7,9]. -
Generators in comprehensions can now be strict, meaning that if the generator pattern does not match, an exception will be raised instead of silently ignore the value that didn't match.
-
It is now possible to use any base for floating point numbers as per EEP 75: Based Floating Point Literals.
Compiler and JIT improvements
-
For certain types of errors, the compiler can now suggest corrections. For example, when attempting to use variable
Athat is not defined butA0is, the compiler could emit the following message:variable 'A' is unbound, did you mean 'A0'? -
The size of an atom in the Erlang source code was limited to 255 bytes in previous releases, meaning that an atom containing only emojis could contain only 63 emojis. While atoms are still only allowed to contain 255 characters, the number of bytes is no longer limited.
-
The
warn_deprecated_catchoption enables warnings for use of old-style catch expressions on the formcatch Exprinstead of the moderntry...catch...end. -
Provided that the map argument for a
maps:put/3call is known to the compiler to be a map, the compiler will replace such calls with the corresponding update using the map syntax. -
Some BIFs with side-effects (such as
binary_to_atom/1) are optimized intry...catchin the same way as guard BIFs in order to gain performance. -
The compiler’s alias analysis pass is now both faster and less conservative, allowing optimizations of records and binary construction to be applied in more cases.
ERTS
-
The
trace:system/3function has been added. It has a similar interface aserlang:system_monitor/2but it also supports trace sessions. -
os:set_signal/2now supports setting handlers for theSIGWINCH,SIGCONT, andSIGINFOsignals. -
The two new BIFs
erlang:processes_iterator/0anderlang:process_next/1make it possible to iterate over the process table in a way that scales better thanerlang:processes/0.
Shell and terminal
-
The erl -noshell mode has been updated to have two sub modes called
rawandcooked, wherecookedis the old default behaviour andrawcan be used to bypass the line-editing support of the native terminal. Usingrawmode it is possible to read keystrokes as they occur without the user having to press Enter. Also, therawmode does not echo the typed characters to stdout. -
The shell now prints a help message explaining how to interrupt a running command when stuck executing a command for longer than 5 seconds.
STDLIB
-
The
join(Binaries, Separator)function that joins a list of binaries has been added to thebinarymodule. -
By default, sets created by module
setswill now be represented as maps. -
Module
rehas been updated to use the newer PCRE2 library instead of the PCRE library. -
There is a new
zstdmodule that does Zstandard compression.
Dialyzer
- EEP 69: Nominal Types has been implemented.
SSL
- The data handling for tls-v1.3 has been optimized.
Emacs mode (in the Tools application)
- The
indent-regionin Emacs command will now handle multiline strings better.
For more details about new features and potential incompatibilities see the README.
OTP 27.3.3
Patch Package: OTP 27.3.3
Git Tag: OTP-27.3.3
Date: 2025-04-16
Trouble Report Id: OTP-19581, OTP-19582, OTP-19585, OTP-19592,
OTP-19595
Seq num: CVE-2025-32433, ERIERL-1219, ERIERL-1222,
PR-9566, PR-9679, PR-9706
System: OTP
Release: 27
Application: erts-15.2.6, kernel-10.2.6, megaco-4.7.2,
ssh-5.2.10, ssl-11.2.12
Predecessor: OTP 27.3.2
Check out the git tag OTP-27.3.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
erts-15.2.6
The erts-15.2.6 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Fixed bug in
call_memorytracing that could cause wildly incorrect reported memory values. Bug exists since OTP 27.1.Also fixed return type spec of
trace:info/3.Own Id: OTP-19581
Related Id(s): ERIERL-1219, PR-9706
Full runtime dependencies of erts-15.2.6
kernel-9.0, sasl-3.3, stdlib-4.1
kernel-10.2.6
Note! The kernel-10.2.6 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.
On a full OTP 27 installation, also the following runtime
dependency has to be satisfied:
-- erts-15.2.5 (first satisfied in OTP 27.3.2)
Fixed Bugs and Malfunctions
-
Fixed bug in
call_memorytracing that could cause wildly incorrect reported memory values. Bug exists since OTP 27.1.Also fixed return type spec of
trace:info/3.Own Id: OTP-19581
Related Id(s): ERIERL-1219, PR-9706
Full runtime dependencies of kernel-10.2.6
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0
megaco-4.7.2
The megaco-4.7.2 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Corrected type spec for type mid().
Own Id: OTP-19585
Related Id(s): ERIERL-1222
Full runtime dependencies of megaco-4.7.2
asn1-3.0, debugger-4.0, erts-12.0, et-1.5, kernel-8.0, runtime_tools-1.8.14, stdlib-2.5
ssh-5.2.10
The ssh-5.2.10 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Reception of wrong Unicode does not cause unnecessary processing. US-ASCII fields are not decoded as Unicode.
Own Id: OTP-19582
Related Id(s): PR-9679 -
SSH daemon disconnects upon receiving connection protocol message for unauthenticated used.
Thanks to Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, Nurullah Erinola, Jörg Schwenk (Ruhr University Bochum).
Own Id: OTP-19595
Related Id(s): CVE-2025-32433
Full runtime dependencies of ssh-5.2.10
crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0
ssl-11.2.12
Note! The ssl-11.2.12 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.
On a full OTP 27 installation, also the following runtime
dependency has to be satisfied:
-- public_key-1.16.4 (first satisfied in OTP 27.1.3)
Improvements and New Features
-
Lower log level for user cancelation as this is not an error case. Also handle possible undecrypted close alert during TLS-1.3 handshake.
Own Id: OTP-19592
Related Id(s): PR-9566
Full runtime dependencies of ssl-11.2.12
crypto-5.0, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.16.4, runtime_tools-1.15.1, stdlib-6.0
Thanks to
Simon Cornish
OTP 26.2.5.11
Patch Package: OTP 26.2.5.11
Git Tag: OTP-26.2.5.11
Date: 2025-04-16
Trouble Report Id: OTP-19496, OTP-19582, OTP-19595
Seq num: CVE-2025-32433, GH-9190, PR-9463, PR-9679
System: OTP
Release: 26
Application: ssh-5.1.4.8, xmerl-1.3.34.2
Predecessor: OTP 26.2.5.10
Check out the git tag OTP-26.2.5.11, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- ssh-5.1.4.8 -----------------------------------------------------
---------------------------------------------------------------------
The ssh-5.1.4.8 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19582 Application(s): ssh
Related Id(s): PR-9679
Reception of wrong Unicode does not cause unnecessary
processing. US-ASCII fields are not decoded as Unicode.
OTP-19595 Application(s): ssh
Related Id(s): CVE-2025-32433
SSH daemon disconnects upon receiving connection
protocol message for unauthenticated used.
Thanks to Fabian Bäumer, Marcel Maehren, Marcus
Brinkmann, Nurullah Erinola, Jörg Schwenk (Ruhr
University Bochum).
Full runtime dependencies of ssh-5.1.4.8: crypto-5.0, erts-14.0,
kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0,
stdlib-5.0
---------------------------------------------------------------------
--- xmerl-1.3.34.2 --------------------------------------------------
---------------------------------------------------------------------
The xmerl-1.3.34.2 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19496 Application(s): xmerl
Related Id(s): GH-9190, PR-9463
Some old-style catch expressions in the
xmerl_sax_parser when the continuation fun was called
caused the stack to grow until all free memory was
exhausted. These parts have been rewritten so that the
parser now runs correctly without growing the stack. At
the same time all old-style catch expressions in xmerl
were replaced with try/catch.
Full runtime dependencies of xmerl-1.3.34.2: erts-6.0, kernel-8.4,
stdlib-2.5
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------