Releases: erlang/otp
OTP 27.3.4.6
Patch Package: OTP 27.3.4.6
Git Tag: OTP-27.3.4.6
Date: 2025-11-14
Trouble Report Id: OTP-19814, OTP-19843
Seq num: PR-10353
System: OTP
Release: 27
Application: erts-15.2.7.4, kernel-10.2.7.3, wx-2.4.3.1
Predecessor: OTP 27.3.4.5
Check out the git tag OTP-27.3.4.6, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
erts-15.2.7.4
The erts-15.2.7.4 application can be applied independently of other applications on a full OTP 27 installation.
Improvements and New Features
-
Option(s) to create
gen_tcpandsocketsockets with protocol IPPROTO_MPTCP has been implemented.See functions
gen_tcp:listen/2,gen_tcp:connect/4and the typesocket:protocol/0.Own Id: OTP-19814
Full runtime dependencies of erts-15.2.7.4
kernel-9.0, sasl-3.3, stdlib-4.1
kernel-10.2.7.3
Note! The kernel-10.2.7.3 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.
On a full OTP 27 installation, also the following runtime
dependency has to be satisfied:
-- erts-15.2.5 (first satisfied in OTP 27.3.2)
Improvements and New Features
-
Option(s) to create
gen_tcpandsocketsockets with protocol IPPROTO_MPTCP has been implemented.See functions
gen_tcp:listen/2,gen_tcp:connect/4and the typesocket:protocol/0.Own Id: OTP-19814
Full runtime dependencies of kernel-10.2.7.3
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0
wx-2.4.3.1
The wx-2.4.3.1 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Fixed reading out of array bounds and potential memory leaks.
Own Id: OTP-19843
Related Id(s): PR-10353
Full runtime dependencies of wx-2.4.3.1
erts-12.0, kernel-8.0, stdlib-5.0
OTP 27.3.4.5
Patch Package: OTP 27.3.4.5
Git Tag: OTP-27.3.4.5
Date: 2025-11-07
Trouble Report Id: OTP-19828, OTP-19835, OTP-19839
Seq num: ERIERL-1273, PR-10242, PR-10333, PR-10350
System: OTP
Release: 27
Application: inets-9.3.2.2, ssh-5.2.11.4, ssl-11.2.12.4
Predecessor: OTP 27.3.4.4
Check out the git tag OTP-27.3.4.5, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
inets-9.3.2.2
The inets-9.3.2.2 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Fixed uri_string:uri_string() to string() type specs inside httpc.erl module.
Own Id: OTP-19835
Related Id(s): PR-10242
Full runtime dependencies of inets-9.3.2.2
erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0
ssh-5.2.11.4
The ssh-5.2.11.4 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
With this change user space buffers are used to limit ssh hello message size instead of kernel buffers
Own Id: OTP-19839
Related Id(s): ERIERL-1273, PR-10350
Full runtime dependencies of ssh-5.2.11.4
crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0
ssl-11.2.12.4
Note! The ssl-11.2.12.4 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.
On a full OTP 27 installation, also the following runtime
dependency has to be satisfied:
-- public_key-1.16.4 (first satisfied in OTP 27.1.3)
Fixed Bugs and Malfunctions
-
Correct documentation for fail_if_no_peer_cert option.
Own Id: OTP-19828
Related Id(s): PR-10333
Full runtime dependencies of ssl-11.2.12.4
crypto-5.0, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.16.4, runtime_tools-1.15.1, stdlib-6.0
Thanks to
Marcelino Alberdi Pereira
OTP 26.2.5.16
Patch Package: OTP 26.2.5.16
Git Tag: OTP-26.2.5.16
Date: 2025-11-07
Trouble Report Id: OTP-19790, OTP-19791, OTP-19799, OTP-19803,
OTP-19806, OTP-19817, OTP-19825, OTP-19828,
OTP-19835, OTP-19839
Seq num: ERIERL-1273, GH-10119, PR-10241, PR-10242,
PR-10245, PR-10257, PR-10274, PR-10296,
PR-10333, PR-10350, PR-9970
System: OTP
Release: 26
Application: erts-14.2.5.12, inets-9.1.0.4, ssh-5.1.4.13,
ssl-11.1.4.10, syntax_tools-3.1.0.1
Predecessor: OTP 26.2.5.15
Check out the git tag OTP-26.2.5.16, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- erts-14.2.5.12 --------------------------------------------------
---------------------------------------------------------------------
The erts-14.2.5.12 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19790 Application(s): erts
Related Id(s): PR-9970
Fixed the erl documentation of the default timewarp
mode used.
OTP-19799 Application(s): erts
Related Id(s): PR-10241
The erlang:suspend_process() BIFs failed to suspend
processes currently executing on dirty schedulers.
OTP-19803 Application(s): erts
Related Id(s): PR-10257
When multiple processes called the same fun whose
defining module was not loaded, a badfun exception
could sometimes occur in one of the calling processes.
This would only happen with the JIT runtime system.
Full runtime dependencies of erts-14.2.5.12: kernel-9.0, sasl-3.3,
stdlib-4.1
---------------------------------------------------------------------
--- inets-9.1.0.4 ---------------------------------------------------
---------------------------------------------------------------------
The inets-9.1.0.4 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19835 Application(s): inets
Related Id(s): PR-10242
Fixed uri_string:uri_string() to string() type specs
inside httpc.erl module.
Full runtime dependencies of inets-9.1.0.4: erts-14.0, kernel-9.0,
mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0,
stdlib-5.0, stdlib-5.0
---------------------------------------------------------------------
--- ssh-5.1.4.13 ----------------------------------------------------
---------------------------------------------------------------------
The ssh-5.1.4.13 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19839 Application(s): ssh
Related Id(s): ERIERL-1273, PR-10350
With this change user space buffers are used to limit
ssh hello message size instead of kernel buffers
Full runtime dependencies of ssh-5.1.4.13: crypto-5.0, erts-14.0,
kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0,
stdlib-5.0
---------------------------------------------------------------------
--- ssl-11.1.4.10 ---------------------------------------------------
---------------------------------------------------------------------
The ssl-11.1.4.10 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19791 Application(s): ssl
Related Id(s): PR-10245
Assert that hello extensions are unique and send an
illegal parameter alert if they are not.
OTP-19806 Application(s): ssl
Related Id(s): PR-10274
Avoid sending an internal message to the user process
in conjunction with handling a key update.
OTP-19825 Application(s): ssl
Related Id(s): PR-10296
Make sure TLS-1.3 protocol spec is followed, that is
psk-hello extension is guaranteed to be included as the
last extension in the list of client hello extensions
and internal hello message truncation in handshake
history is handled correctly, the previous handling
could cause interoperability issues.
OTP-19828 Application(s): ssl
Related Id(s): PR-10333
Correct documentation for fail_if_no_peer_cert option.
Full runtime dependencies of ssl-11.1.4.10: crypto-5.0, erts-14.0,
inets-5.10.7, kernel-9.0, public_key-1.11.3, runtime_tools-1.15.1,
stdlib-4.1
---------------------------------------------------------------------
--- syntax_tools-3.1.0.1 --------------------------------------------
---------------------------------------------------------------------
The syntax_tools-3.1.0.1 application can be applied independently of
other applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19817 Application(s): syntax_tools
Related Id(s): GH-10119
Annotate map comprehensions and generators
Full runtime dependencies of syntax_tools-3.1.0.1: compiler-7.0,
erts-9.0, kernel-5.0, stdlib-4.0
---------------------------------------------------------------------
--- Thanks to -------------------------------------------------------
---------------------------------------------------------------------
Daniel Gorin, Marcelino Alberdi Pereira
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
OTP 27.3.4.4
Patch Package: OTP 27.3.4.4
Git Tag: OTP-27.3.4.4
Date: 2025-10-28
Trouble Report Id: OTP-19768, OTP-19774, OTP-19790, OTP-19791,
OTP-19792, OTP-19799, OTP-19803, OTP-19806,
OTP-19813, OTP-19817, OTP-19818, OTP-19825
Seq num: ERERL-1261, GH-10119, GH-10150, GH-10191,
PR-10182, PR-10201, PR-10241, PR-10245,
PR-10249, PR-10257, PR-10274, PR-10284,
PR-10296, PR-9970
System: OTP
Release: 27
Application: diameter-2.4.1.1, erts-15.2.7.3,
ssl-11.2.12.3, syntax_tools-3.2.2.2,
xmerl-2.1.3.2
Predecessor: OTP 27.3.4.3
Check out the git tag OTP-27.3.4.4, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
diameter-2.4.1.1
The diameter-2.4.1.1 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Added documentation about 'proxy' and 'resend' options in diameter:handle_request/3
Full runtime dependencies of diameter-2.4.1.1
erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0
erts-15.2.7.3
The erts-15.2.7.3 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Fixed the
erldocumentation of the default timewarp mode used.Own Id: OTP-19790
Related Id(s): PR-9970 -
The
erlang:suspend_process()BIFs failed to suspend processes currently executing on dirty schedulers.Own Id: OTP-19799
Related Id(s): PR-10241 -
When multiple processes called the same fun whose defining module was not loaded, a
badfunexception could sometimes occur in one of the calling processes. This would only happen with the JIT runtime system.Own Id: OTP-19803
Related Id(s): PR-10257
Full runtime dependencies of erts-15.2.7.3
kernel-9.0, sasl-3.3, stdlib-4.1
ssl-11.2.12.3
Note! The ssl-11.2.12.3 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.
On a full OTP 27 installation, also the following runtime
dependency has to be satisfied:
-- public_key-1.16.4 (first satisfied in OTP 27.1.3)
Fixed Bugs and Malfunctions
-
Fixed so that sending of application data will adhere to max_fragment_length. This was broken in OTP-27 release by an optimization.
-
Assert that hello extensions are unique and send an illegal parameter alert if they are not.
Own Id: OTP-19791
Related Id(s): PR-10245 -
Avoid sending an internal message to the user process in conjunction with handling a key update.
Own Id: OTP-19806
Related Id(s): PR-10274 -
Graceful error handling added in negative test scenario.
Own Id: OTP-19813
Related Id(s): PR-10284 -
Handle duplicate change_cipher_spec message with an unexpected message alert instead of failing later in corrupted state.
Own Id: OTP-19818
Related Id(s): PR-10296 -
Make sure TLS-1.3 protocol spec is followed, that is psk-hello extension is guaranteed to be included as the last extension in the list of client hello extensions and internal hello message truncation in handshake history is handled correctly, the previous handling could cause interoperability issues.
Own Id: OTP-19825
Related Id(s): PR-10296
Full runtime dependencies of ssl-11.2.12.3
crypto-5.0, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.16.4, runtime_tools-1.15.1, stdlib-6.0
syntax_tools-3.2.2.2
The syntax_tools-3.2.2.2 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Annotate map comprehensions and generators
Own Id: OTP-19817
Related Id(s): GH-10119
Full runtime dependencies of syntax_tools-3.2.2.2
compiler-7.0, erts-9.0, kernel-5.0, stdlib-4.0
xmerl-2.1.3.2
The xmerl-2.1.3.2 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
The XSD validation failed due to not handling the optional text blocks correctly in an XSD complex type with attribute
mixed=true.Own Id: OTP-19792
Related Id(s): PR-10249, ERERL-1261
Full runtime dependencies of xmerl-2.1.3.2
erts-6.0, kernel-8.4, stdlib-2.5
Thanks to
Daniel Gorin, Jean-Philippe Jodoin
OTP 28.1.1
Patch Package: OTP 28.1.1
Git Tag: OTP-28.1.1
Date: 2025-10-20
Trouble Report Id: OTP-19768, OTP-19771, OTP-19774, OTP-19780,
OTP-19790, OTP-19791, OTP-19792, OTP-19796,
OTP-19799, OTP-19806
Seq num: ERERL-1261, ERIERL-1251, ERIERL-1264,
GH-10150, GH-10191, GH-10212, GH-10217,
PR-10182, PR-10194, PR-10201, PR-10221,
PR-10241, PR-10245, PR-10248, PR-10249,
PR-10274, PR-9970
System: OTP
Release: 28
Application: diameter-2.5.2, erts-16.1.1, kernel-10.4.1,
ssl-11.4.1, xmerl-2.1.7
Predecessor: OTP 28.1
Check out the git tag OTP-28.1.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
OTP-28.1.1
Improvements and New Features
-
When building OTP, some applications may be skipped due to lacking dependencies, or due to user choice. Such skipped applications are excluded from the docs build step and a placeholder page is displayed in their stead.
Own Id: OTP-19771
Related Id(s): ERIERL-1251, PR-10194
diameter-2.5.2
The diameter-2.5.2 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Added documentation about 'proxy' and 'resend' options in diameter:handle_request/3
Full runtime dependencies of diameter-2.5.2
erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0
erts-16.1.1
The erts-16.1.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed the
erldocumentation of the default timewarp mode used.Own Id: OTP-19790
Related Id(s): PR-9970 -
The
erlang:suspend_process()BIFs failed to suspend processes currently executing on dirty schedulers.Own Id: OTP-19799
Related Id(s): PR-10241
Full runtime dependencies of erts-16.1.1
kernel-9.0, sasl-3.3, stdlib-4.1
kernel-10.4.1
The kernel-10.4.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
With this change group.erl will not crash when receiving unknown message.
Own Id: OTP-19796
Related Id(s): ERIERL-1264, PR-10248
Full runtime dependencies of kernel-10.4.1
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0
ssl-11.4.1
Note! The ssl-11.4.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependencies have to be satisfied:
-- crypto-5.7 (first satisfied in OTP 28.1)
-- public_key-1.18.3 (first satisfied in OTP 28.1)
Fixed Bugs and Malfunctions
-
Fixed so that sending of application data will adhere to max_fragment_length. This was broken in OTP-27 release by an optimization.
-
PR-10046 put to hard requirements on key file content. Make sure same file can be used as keyfile and certfile
Own Id: OTP-19780
Related Id(s): GH-10212, GH-10217, PR-10221 -
Assert that hello extensions are unique and send an illegal parameter alert if they are not.
Own Id: OTP-19791
Related Id(s): PR-10245 -
Avoid sending an internal message to the user process in conjunction with handling a key update.
Own Id: OTP-19806
Related Id(s): PR-10274
Full runtime dependencies of ssl-11.4.1
crypto-5.7, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.18.3, runtime_tools-1.15.1, stdlib-7.0
xmerl-2.1.7
The xmerl-2.1.7 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
The XSD validation failed due to not handling the optional text blocks correctly in an XSD complex type with attribute
mixed=true.Own Id: OTP-19792
Related Id(s): PR-10249, ERERL-1261
Full runtime dependencies of xmerl-2.1.7
erts-6.0, kernel-8.4, stdlib-2.5
Thanks to
Daniel Gorin, Dmytro Lytovchenko, Jean-Philippe Jodoin
OTP 28.1
Patch Package: OTP 28.1
Git Tag: OTP-28.1
Date: 2025-09-17
Trouble Report Id: OTP-16607, OTP-19552, OTP-19619, OTP-19642,
OTP-19646, OTP-19647, OTP-19648, OTP-19649,
OTP-19651, OTP-19655, OTP-19657, OTP-19659,
OTP-19660, OTP-19666, OTP-19667, OTP-19669,
OTP-19671, OTP-19677, OTP-19681, OTP-19685,
OTP-19686, OTP-19688, OTP-19689, OTP-19693,
OTP-19694, OTP-19696, OTP-19698, OTP-19704,
OTP-19706, OTP-19714, OTP-19719, OTP-19721,
OTP-19722, OTP-19723, OTP-19724, OTP-19725,
OTP-19726, OTP-19727, OTP-19728, OTP-19730,
OTP-19731, OTP-19733, OTP-19735, OTP-19736,
OTP-19737, OTP-19739, OTP-19745, OTP-19749,
OTP-19752, OTP-19754, OTP-19756, OTP-19757,
OTP-19758, OTP-19759, OTP-19760
Seq num: ERIERL-1209, ERIERL-1231, GH-10002, GH-10020,
GH-10057, GH-10061, GH-10065, GH-10072,
GH-10077, GH-10079, GH-10097, GH-10102,
GH-5697, GH-5756, GH-9631, GH-9638, GH-9771,
GH-9816, GH-9875, GH-9901, GH-9903, GH-9972,
GH-9987, OTP-16608, PR-10004, PR-10009,
PR-10011, PR-10014, PR-10019, PR-10034,
PR-10046, PR-10051, PR-10066, PR-10076,
PR-10084, PR-10085, PR-10087, PR-10090,
PR-10091, PR-10093, PR-10094, PR-10104,
PR-10106, PR-10108, PR-10112, PR-10113,
PR-10120, PR-10121, PR-10140, PR-10142,
PR-10146, PR-10147, PR-10153, PR-9589,
PR-9721, PR-9796, PR-9815, PR-9832, PR-9843,
PR-9853, PR-9862, PR-9869, PR-9876, PR-9879,
PR-9896, PR-9897, PR-9898, PR-9900, PR-9906,
PR-9909, PR-9912, PR-9927, PR-9949, PR-9954,
PR-9969, PR-9976, PR-9982, PR-9990
System: OTP
Release: 28
Application: asn1-5.4.2, common_test-1.29, compiler-9.0.2,
crypto-5.7, debugger-6.0.3, edoc-1.4.1,
erl_interface-5.6.1, erts-16.1, inets-9.4.2,
kernel-10.4, megaco-4.8.1, mnesia-4.24.1,
observer-2.18.1, os_mon-2.11.1,
public_key-1.18.3, runtime_tools-2.3,
snmp-5.19.1, ssl-11.4, stdlib-7.1,
syntax_tools-4.0.1, tools-4.1.3, wx-2.5.2,
xmerl-2.1.6
Predecessor: OTP 28.0.4
Check out the git tag OTP-28.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
HIGHLIGHTS
-
Added support for quantum crypto signature algorithm ML-DSA (ssl and public_key) and key exchange algorithm ML-KEM (ssl).
Own Id: OTP-19552
Application(s): public_key, ssl
Related Id(s): [PR-10004] -
A User's Guide to
dbgis now available in the documentation.Own Id: OTP-19655
Application(s): runtime_tools
Related Id(s): [PR-9853] -
Support for ML-DSA and ML-KEM provided by OpenSSL 3.5.
Algorithms
mldsa44,mldsa65andmldsa87can be passed tocrypto:sign/4andcrypto:verify/5.New functions
crypto:encapsulate_key/2andcrypto:decapsulate_key/3can be used withmlkem512,mlkem768andmlkem1024to safely generate and communicate an encapsulated shared secret.Own Id: OTP-19657
Application(s): crypto
Related Id(s): [PR-9900] -
TLS server now fails early for supplied PEM file issues, such as the file not being found.
Own Id: OTP-19706
Application(s): ssl
Related Id(s): [GH-9631], [PR-10046]
POTENTIAL INCOMPATIBILITIES
-
The internal
inet_dns_tsigandinet_resmodules have been fixed to TSIG verify the correct timestamp.In the process two undocumented error code atoms have been corrected to
notauthandnotzoneto adhere to the DNS RFCs. Code that relied on the previous incorrect values may have to be corrected.Own Id: OTP-19756
Application(s): kernel
Related Id(s): [PR-10146]
OTP-28.1
Fixed Bugs and Malfunctions
-
When any Erlang/OTP application has been disabled by
configure, warnings fromex_docwhen building the documentation are now disabled.Own Id: OTP-19646
Related Id(s): [GH-9875], [PR-9876] -
./otp_buildnow respectsTYPEandFLAVORto when set.Own Id: OTP-19677
Related Id(s): [PR-9954] -
Rendering of some tables in the documentation has been improved.
Own Id: OTP-19752
Related Id(s): [PR-10142]
Improvements and New Features
-
In [Efficiency Guide], the section about
setelement/3in Common Caveats has been updated.Own Id: OTP-19749
Related Id(s): [PR-10140]
asn1-5.4.2
The asn1-5.4.2 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Decoding a constrained BIT STRING using JER was broken.
Own Id: OTP-19681
Related Id(s): [PR-9949] -
NIFs and linked-in drivers are now loadable when running in an Erlang source tree on Windows.
Own Id: OTP-19686
Related Id(s): [PR-9969]
Full runtime dependencies of asn1-5.4.2
erts-14.0, kernel-9.0, stdlib-5.0
common_test-1.29
The common_test-1.29 application can be applied independently of other applications on a full OTP 28 installation.
Improvements and New Features
-
Improved printing of maps. Map keys are now printed in the same order as
maps:iterator(Map, ordered)would sort them.Own Id: OTP-19642
Related Id(s): ERIERL-1231, [PR-9862] -
ct:printwill now suppress printing of timestamp and heading when the heading option is set to the empty string.Own Id: OTP-19714
Related Id(s): [PR-10051]
Full runtime dependencies of common_test-1.29
compiler-6.0, crypto-4.5, debugger-4.1, erts-7.0, ftp-1.0, inets-6.0, kernel-8.4, observer-2.1, runtime_tools-1.8.16, sasl-2.5, snmp-5.1.2, ssh-4.0, stdlib-4.0, syntax_tools-1.7, tools-3.2, xmerl-1.3.8
compiler-9.0.2
The compiler-9.0.2 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed a compiler crash caused by patch order in destructive update.
Own Id: OTP-19660
Related Id(s): [GH-9903], [PR-9909] -
Fixed a compiler crash in
beam_ssa_pre_codegencaused by wrong handling of multiple phi patches in the destructive update pass.Own Id: OTP-19689
Related Id(s): [GH-9987], [PR-9990] -
Fixed a crash when a zip generator contains a map pattern.
Own Id: OTP-19693
Related Id(s): [GH-10002], [PR-10009] -
In rare circumstances, the compiler could crash when compiling code using bit syntax construction.
Own Id: OTP-19722
Related Id(s): [GH-10077], [PR-10090] -
A few minor bugs that could affect the
beam_debug_infooption were fixed.Own Id: OTP-19758
Related Id(s): [PR-10153]
Full runtime dependencies of compiler-9.0.2
crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0
crypto-5.7
The crypto-5.7 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
NIFs and linked-in drivers are now loadable when running in an Erlang source tree on Windows.
Own Id: OTP-19686
Related Id(s): [PR-9969] -
Fixed bug seen to cause beam crash when doing
init:restart()withcryptostatically linked to OpenSSL (--disable-dynamic-ssl-lib). Bug exists since OTP 28.0.Own Id: OTP-19721
Related Id(s): [GH-10061], [PR-10076] -
Fixed
crypto:strong_rand_bytesfailing afterinit:restarton MacOS with statically linked OpenSSL.Own Id: OTP-19725
Related Id(s): [GH-10079], [PR-10085] -
Fixed
crypto:hash(shake128 | shake256)for OpenSSL 3.4 and newer.Own Id: OTP-19733
Related Id(s): [GH-9901], [PR-9982] -
Rendering of some tables in the documentation has been improved.
Own Id: OTP-19752
Related Id(s): [PR-10142]
Improvements and New Features
-
Support for ML-DSA and ML-KEM provided by OpenSSL 3.5.
Algorithms
mldsa44,mldsa65andmldsa87can be passed tocrypto:sign/4andcrypto:verify/5.New functions
crypto:encapsulate_key/2andcrypto:decapsulate_key/3can be used withmlkem512,mlkem768andmlkem1024to safely generate and communicate an encapsulated shared secret.Own Id: OTP-19657
Related Id(s): [PR-9900]*** HIGHLIGHT ***
-
Added support for SHA2 512/224 and SHA2 512/256 truncated hashes.
Own Id: OTP-19666
Related Id(s): [PR-9721]
Full runtime dependencies of crypto-5.7
erts-9.0, kernel-6.0, stdlib-3.9
debugger-6.0.3
The debugger-6.0.3 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed unbound error in interpreted modules
Own Id: OTP-19719
Related Id(s): [GH-10057], [PR-10066]
Full runtime dependencies of debugger-6.0.3
compiler-8.0, erts-15.0, kernel-10.0, stdlib-7.0, wx-2.0
edoc-1.4.1
The edoc-1.4.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Rendering of some tables in the documentation has been improved.
Own Id: OTP-19752
Related Id(s): [PR-10142]
Full runtime dependencies of edoc-1.4.1
erts-11.0, inets-5.10, kernel-7.0, stdlib-4.0, syntax_tools-2.0, xmerl-1.3.7
erl_interface-5.6.1
The erl_in...
OTP 28.0.4
Patch Package: OTP 28.0.4
Git Tag: OTP-28.0.4
Date: 2025-09-11
Trouble Report Id: OTP-19729
Seq num: CVE-2016-1000107, GH-3392, PR-6223
System: OTP
Release: 28
Application: inets-9.4.1
Predecessor: OTP 28.0.3
Check out the git tag OTP-28.0.4, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
inets-9.4.1
The inets-9.4.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed a bug where a request sent to httpd server which is using CGI script to generate a response, would pollute server's environment variable -
HTTP_PROXYfor that request. This bug is also known as httpoxy. More information: CVE-2016-1000107Own Id: OTP-19729
Related Id(s): GH-3392, PR-6223, CVE-2016-1000107
Full runtime dependencies of inets-9.4.1
erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0
Thanks to
Marcel Lanz
OTP 28.0.3
Patch Package: OTP 28.0.3
Git Tag: OTP-28.0.3
Date: 2025-09-10
Trouble Report Id: OTP-19701, OTP-19741, OTP-19742, OTP-19748,
OTP-19753, OTP-19755, OTP-19761
Seq num: CVE-2025-48038, CVE-2025-48039,
CVE-2025-48040, CVE-2025-48041,
CVE-2025-58050, PR-10155, PR-10156, PR-10157,
PR-10162, PR-19755, PR-9815
System: OTP
Release: 28
Application: diameter-2.5.1, erts-16.0.3, ssh-5.3.3,
stdlib-7.0.3
Predecessor: OTP 28.0.2
Check out the git tag OTP-28.0.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
POTENTIAL INCOMPATIBILITIES
-
Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).
Own Id: OTP-19701
Application(s): ssh
Related Id(s): PR-10157, CVE-2025-48041 -
Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.
Own Id: OTP-19741
Application(s): ssh
Related Id(s): PR-10162, CVE-2025-48040 -
A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.
Own Id: OTP-19742
Application(s): ssh
Related Id(s): PR-10155, CVE-2025-48039 -
Reject file handles exceeding size specified in RFCs (256 bytes).
Own Id: OTP-19748
Application(s): ssh
Related Id(s): PR-10156, CVE-2025-48038
diameter-2.5.1
The diameter-2.5.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
With this change message_cb callback will be called with updated state for processing 'ack' after 'send'.
Own Id: OTP-19753
Related Id(s): PR-9815
Full runtime dependencies of diameter-2.5.1
erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0
erts-16.0.3
The erts-16.0.3 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on regular expressions with
(*scs:)and(*ACCEPT)syntax combined.Own Id: OTP-19755
Related Id(s): CVE-2025-58050 -
Fixed bug that could cause crash in beam started with
erl -emu_type debug +JPperf truewith any type of tracing return from function.Own Id: OTP-19761
Related Id(s): PR-19755
Full runtime dependencies of erts-16.0.3
kernel-9.0, sasl-3.3, stdlib-4.1
ssh-5.3.3
The ssh-5.3.3 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).
Own Id: OTP-19701
Related Id(s): PR-10157, CVE-2025-48041*** POTENTIAL INCOMPATIBILITY ***
-
Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.
Own Id: OTP-19741
Related Id(s): PR-10162, CVE-2025-48040*** POTENTIAL INCOMPATIBILITY ***
-
A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.
Own Id: OTP-19742
Related Id(s): PR-10155, CVE-2025-48039*** POTENTIAL INCOMPATIBILITY ***
-
Reject file handles exceeding size specified in RFCs (256 bytes).
Own Id: OTP-19748
Related Id(s): PR-10156, CVE-2025-48038*** POTENTIAL INCOMPATIBILITY ***
Full runtime dependencies of ssh-5.3.3
crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0
stdlib-7.0.3
Note! The stdlib-7.0.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependency has to be satisfied:
-- erts-16.0.3 (first satisfied in OTP 28.0.3)
Fixed Bugs and Malfunctions
-
Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on regular expressions with
(*scs:)and(*ACCEPT)syntax combined.Own Id: OTP-19755
Related Id(s): CVE-2025-58050
Full runtime dependencies of stdlib-7.0.3
compiler-5.0, crypto-4.5, erts-16.0.3, kernel-10.0, sasl-3.0, syntax_tools-3.2.1
Thanks to
Alberto Sartori
OTP 27.3.4.3
Patch Package: OTP 27.3.4.3
Git Tag: OTP-27.3.4.3
Date: 2025-09-10
Trouble Report Id: OTP-19701, OTP-19719, OTP-19722, OTP-19728,
OTP-19729, OTP-19740, OTP-19741, OTP-19742,
OTP-19748, OTP-19760
Seq num: CVE-2025-48038, CVE-2025-48039,
CVE-2025-48040, CVE-2025-48041, GH-10057,
GH-10065, GH-10072, GH-10077, GH-10103,
GH-3392, PR-10066, PR-10090, PR-10093,
PR-10118, PR-10120, PR-10155, PR-10156,
PR-10157, PR-10162, PR-6223
System: OTP
Release: 27
Application: compiler-8.6.1.2, debugger-5.5.0.1,
erts-15.2.7.2, inets-9.3.2.1, ssh-5.2.11.3,
syntax_tools-3.2.2.1
Predecessor: OTP 27.3.4.2
Check out the git tag OTP-27.3.4.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
POTENTIAL INCOMPATIBILITIES
-
Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).
Own Id: OTP-19701
Application(s): ssh
Related Id(s): PR-10157, CVE-2025-48041 -
Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.
Own Id: OTP-19741
Application(s): ssh
Related Id(s): PR-10162, CVE-2025-48040 -
A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.
Own Id: OTP-19742
Application(s): ssh
Related Id(s): PR-10155, CVE-2025-48039 -
Reject file handles exceeding size specified in RFCs (256 bytes).
Own Id: OTP-19748
Application(s): ssh
Related Id(s): PR-10156, CVE-2025-48038
compiler-8.6.1.2
The compiler-8.6.1.2 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
In rare circumstances, the compiler could crash when compiling code using bit syntax construction.
Full runtime dependencies of compiler-8.6.1.2
crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0
debugger-5.5.0.1
The debugger-5.5.0.1 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
Full runtime dependencies of debugger-5.5.0.1
compiler-8.0, erts-15.0, kernel-10.0, stdlib-3.15, wx-2.0
erts-15.2.7.2
The erts-15.2.7.2 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
As an optimization, when the
unicode:characters_to_binary/3was used to convert fromlatin1toutf8or vice versa, it would return the original binary unchanged if it only contained 7-bit ASCII characters. That otpimization was broken in Erlang/OTP 27, and has now been mended.
Full runtime dependencies of erts-15.2.7.2
kernel-9.0, sasl-3.3, stdlib-4.1
inets-9.3.2.1
The inets-9.3.2.1 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Fixed a bug where a request sent to httpd server which is using CGI script to generate a response, would pollute server's environment variable -
HTTP_PROXYfor that request. This bug is also known as httpoxy. More information: CVE-2016-1000107 -
Fixed a RFC 2616 violation, where a http request, made by httpc, without providing any options, would be sent with an empty TE header, without also having a TE value in the connection header. Now the default request doesn't send a TE header at all.
Full runtime dependencies of inets-9.3.2.1
erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0
ssh-5.2.11.3
The ssh-5.2.11.3 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
-
Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).
Own Id: OTP-19701
Related Id(s): PR-10157, CVE-2025-48041*** POTENTIAL INCOMPATIBILITY ***
-
Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.
Own Id: OTP-19741
Related Id(s): PR-10162, CVE-2025-48040*** POTENTIAL INCOMPATIBILITY ***
-
A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.
Own Id: OTP-19742
Related Id(s): PR-10155, CVE-2025-48039*** POTENTIAL INCOMPATIBILITY ***
-
Reject file handles exceeding size specified in RFCs (256 bytes).
Own Id: OTP-19748
Related Id(s): PR-10156, CVE-2025-48038*** POTENTIAL INCOMPATIBILITY ***
Full runtime dependencies of ssh-5.2.11.3
crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0
syntax_tools-3.2.2.1
The syntax_tools-3.2.2.1 application can be applied independently of other applications on a full OTP 27 installation.
Fixed Bugs and Malfunctions
Full runtime dependencies of syntax_tools-3.2.2.1
compiler-7.0, erts-9.0, kernel-5.0, stdlib-4.0
Thanks to
Marcel Lanz, Savvas Nicholas
OTP 26.2.5.15
Patch Package: OTP 26.2.5.15
Git Tag: OTP-26.2.5.15
Date: 2025-09-10
Trouble Report Id: OTP-19701, OTP-19729, OTP-19741, OTP-19742,
OTP-19748, OTP-19760
Seq num: CVE-2025-48038, CVE-2025-48039,
CVE-2025-48040, CVE-2025-48041, GH-10065,
GH-3392, PR-10120, PR-10155, PR-10156,
PR-10157, PR-10162, PR-6223
System: OTP
Release: 26
Application: inets-9.1.0.3, ssh-5.1.4.12
Predecessor: OTP 26.2.5.14
Check out the git tag OTP-26.2.5.15, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- POTENTIAL INCOMPATIBILITIES -------------------------------------
---------------------------------------------------------------------
OTP-19701 Application(s): ssh
Related Id(s): PR-10157, CVE-2025-48041
Option max_handles can be configured for sshd running
SFTP. The positive integer value limits amount of file
handles opened for a connection (by default 4096 is
used).
OTP-19741 Application(s): ssh
Related Id(s): PR-10162, CVE-2025-48040
Avoid decoding KEX messages providing too many
algorithms. This change does not introduce new
limitation but assures it is enforced earlier in
processing chain. Adjustments in error logging during
handshake.
OTP-19742 Application(s): ssh
Related Id(s): PR-10155, CVE-2025-48039
A new 'max_path' option is now available in the sshd
configuration, allowing administrators to set the
maximum allowable path length. By default, this value
is set to 4096 characters.
OTP-19748 Application(s): ssh
Related Id(s): PR-10156, CVE-2025-48038
Reject file handles exceeding size specified in RFCs
(256 bytes).
---------------------------------------------------------------------
--- inets-9.1.0.3 ---------------------------------------------------
---------------------------------------------------------------------
The inets-9.1.0.3 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19729 Application(s): inets
Related Id(s): GH-3392, PR-6223
Fixed a bug where a request sent to httpd server which
is using CGI script to generate a response, would
pollute server's environment variable - HTTP_PROXY for
that request. This bug is also known as httpoxy. More
information: CVE-2016-1000107
OTP-19760 Application(s): inets
Related Id(s): GH-10065, PR-10120
Fixed a RFC 2616 violation, where a http request, made
by httpc, without providing any options, would be sent
with an empty TE header, without also having a TE value
in the connection header. Now the default request
doesn't send a TE header at all.
Full runtime dependencies of inets-9.1.0.3: erts-14.0, kernel-9.0,
mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0,
stdlib-5.0, stdlib-5.0
---------------------------------------------------------------------
--- ssh-5.1.4.12 ----------------------------------------------------
---------------------------------------------------------------------
The ssh-5.1.4.12 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19701 Application(s): ssh
Related Id(s): PR-10157, CVE-2025-48041
*** POTENTIAL INCOMPATIBILITY ***
Option max_handles can be configured for sshd running
SFTP. The positive integer value limits amount of file
handles opened for a connection (by default 4096 is
used).
OTP-19741 Application(s): ssh
Related Id(s): PR-10162, CVE-2025-48040
*** POTENTIAL INCOMPATIBILITY ***
Avoid decoding KEX messages providing too many
algorithms. This change does not introduce new
limitation but assures it is enforced earlier in
processing chain. Adjustments in error logging during
handshake.
OTP-19742 Application(s): ssh
Related Id(s): PR-10155, CVE-2025-48039
*** POTENTIAL INCOMPATIBILITY ***
A new 'max_path' option is now available in the sshd
configuration, allowing administrators to set the
maximum allowable path length. By default, this value
is set to 4096 characters.
OTP-19748 Application(s): ssh
Related Id(s): PR-10156, CVE-2025-48038
*** POTENTIAL INCOMPATIBILITY ***
Reject file handles exceeding size specified in RFCs
(256 bytes).
Full runtime dependencies of ssh-5.1.4.12: crypto-5.0, erts-14.0,
kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0,
stdlib-5.0
---------------------------------------------------------------------
--- Thanks to -------------------------------------------------------
---------------------------------------------------------------------
Marcel Lanz, Savvas Nicholas
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------