Patch Package:           OTP 28.1
Git Tag:                 OTP-28.1
Date:                    2025-09-17
Trouble Report Id:       OTP-16607, OTP-19552, OTP-19619, OTP-19642,
                         OTP-19646, OTP-19647, OTP-19648, OTP-19649,
                         OTP-19651, OTP-19655, OTP-19657, OTP-19659,
                         OTP-19660, OTP-19666, OTP-19667, OTP-19669,
                         OTP-19671, OTP-19677, OTP-19681, OTP-19685,
                         OTP-19686, OTP-19688, OTP-19689, OTP-19693,
                         OTP-19694, OTP-19696, OTP-19698, OTP-19704,
                         OTP-19706, OTP-19714, OTP-19719, OTP-19721,
                         OTP-19722, OTP-19723, OTP-19724, OTP-19725,
                         OTP-19726, OTP-19727, OTP-19728, OTP-19730,
                         OTP-19731, OTP-19733, OTP-19735, OTP-19736,
                         OTP-19737, OTP-19739, OTP-19745, OTP-19749,
                         OTP-19752, OTP-19754, OTP-19756, OTP-19757,
                         OTP-19758, OTP-19759, OTP-19760
Seq num:                 ERIERL-1209, ERIERL-1231, GH-10002, GH-10020,
                         GH-10057, GH-10061, GH-10065, GH-10072,
                         GH-10077, GH-10079, GH-10097, GH-10102,
                         GH-5697, GH-5756, GH-9631, GH-9638, GH-9771,
                         GH-9816, GH-9875, GH-9901, GH-9903, GH-9972,
                         GH-9987, OTP-16608, PR-10004, PR-10009,
                         PR-10011, PR-10014, PR-10019, PR-10034,
                         PR-10046, PR-10051, PR-10066, PR-10076,
                         PR-10084, PR-10085, PR-10087, PR-10090,
                         PR-10091, PR-10093, PR-10094, PR-10104,
                         PR-10106, PR-10108, PR-10112, PR-10113,
                         PR-10120, PR-10121, PR-10140, PR-10142,
                         PR-10146, PR-10147, PR-10153, PR-9589,
                         PR-9721, PR-9796, PR-9815, PR-9832, PR-9843,
                         PR-9853, PR-9862, PR-9869, PR-9876, PR-9879,
                         PR-9896, PR-9897, PR-9898, PR-9900, PR-9906,
                         PR-9909, PR-9912, PR-9927, PR-9949, PR-9954,
                         PR-9969, PR-9976, PR-9982, PR-9990
System:                  OTP
Release:                 28
Application:             asn1-5.4.2, common_test-1.29, compiler-9.0.2,
                         crypto-5.7, debugger-6.0.3, edoc-1.4.1,
                         erl_interface-5.6.1, erts-16.1, inets-9.4.2,
                         kernel-10.4, megaco-4.8.1, mnesia-4.24.1,
                         observer-2.18.1, os_mon-2.11.1,
                         public_key-1.18.3, runtime_tools-2.3,
                         snmp-5.19.1, ssl-11.4, stdlib-7.1,
                         syntax_tools-4.0.1, tools-4.1.3, wx-2.5.2,
                         xmerl-2.1.6
Predecessor:             OTP 28.0.4

Check out the git tag OTP-28.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

HIGHLIGHTS

• Added support for quantum crypto signature algorithm ML-DSA (ssl and public_key) and key exchange algorithm ML-KEM (ssl).

  Own Id: OTP-19552
  Application(s): public_key, ssl
  Related Id(s): [PR-10004]

• A User's Guide to dbg is now available in the documentation.

  Own Id: OTP-19655
  Application(s): runtime_tools
  Related Id(s): [PR-9853]

• Support for ML-DSA and ML-KEM provided by OpenSSL 3.5.

  Algorithms mldsa44, mldsa65 and mldsa87 can be passed to crypto:sign/4 and crypto:verify/5.

  New functions crypto:encapsulate_key/2 and crypto:decapsulate_key/3 can be used with mlkem512, mlkem768 and mlkem1024 to safely generate and communicate an encapsulated shared secret.

  Own Id: OTP-19657
  Application(s): crypto
  Related Id(s): [PR-9900]

• TLS server now fails early for supplied PEM file issues, such as the file not being found.

  Own Id: OTP-19706
  Application(s): ssl
  Related Id(s): [GH-9631], [PR-10046]

POTENTIAL INCOMPATIBILITIES

• The internal inet_dns_tsig and inet_res modules have been fixed to TSIG verify the correct timestamp.

  In the process two undocumented error code atoms have been corrected to notauth and notzone to adhere to the DNS RFCs. Code that relied on the previous incorrect values may have to be corrected.

  Own Id: OTP-19756
  Application(s): kernel
  Related Id(s): [PR-10146]

OTP-28.1

Fixed Bugs and Malfunctions

• When any Erlang/OTP application has been disabled by configure, warnings from ex_doc when building the documentation are now disabled.

  Own Id: OTP-19646
  Related Id(s): [GH-9875], [PR-9876]

• ./otp_build now respects TYPE and FLAVOR to when set.

  Own Id: OTP-19677
  Related Id(s): [PR-9954]

• Rendering of some tables in the documentation has been improved.

  Own Id: OTP-19752
  Related Id(s): [PR-10142]

Improvements and New Features

• In [Efficiency Guide], the section about setelement/3 in Common Caveats has been updated.

  Own Id: OTP-19749
  Related Id(s): [PR-10140]

asn1-5.4.2

The asn1-5.4.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Decoding a constrained BIT STRING using JER was broken.

  Own Id: OTP-19681
  Related Id(s): [PR-9949]

• NIFs and linked-in drivers are now loadable when running in an Erlang source tree on Windows.

  Own Id: OTP-19686
  Related Id(s): [PR-9969]

Full runtime dependencies of asn1-5.4.2

erts-14.0, kernel-9.0, stdlib-5.0

common_test-1.29

The common_test-1.29 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Improved printing of maps. Map keys are now printed in the same order as maps:iterator(Map, ordered) would sort them.

  Own Id: OTP-19642
  Related Id(s): ERIERL-1231, [PR-9862]

• ct:print will now suppress printing of timestamp and heading when the heading option is set to the empty string.

  Own Id: OTP-19714
  Related Id(s): [PR-10051]

Full runtime dependencies of common_test-1.29

compiler-6.0, crypto-4.5, debugger-4.1, erts-7.0, ftp-1.0, inets-6.0, kernel-8.4, observer-2.1, runtime_tools-1.8.16, sasl-2.5, snmp-5.1.2, ssh-4.0, stdlib-4.0, syntax_tools-1.7, tools-3.2, xmerl-1.3.8

compiler-9.0.2

The compiler-9.0.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a compiler crash caused by patch order in destructive update.

  Own Id: OTP-19660
  Related Id(s): [GH-9903], [PR-9909]

• Fixed a compiler crash in beam_ssa_pre_codegen caused by wrong handling of multiple phi patches in the destructive update pass.

  Own Id: OTP-19689
  Related Id(s): [GH-9987], [PR-9990]

• Fixed a crash when a zip generator contains a map pattern.

  Own Id: OTP-19693
  Related Id(s): [GH-10002], [PR-10009]

• In rare circumstances, the compiler could crash when compiling code using bit syntax construction.

  Own Id: OTP-19722
  Related Id(s): [GH-10077], [PR-10090]

• A few minor bugs that could affect the beam_debug_info option were fixed.

  Own Id: OTP-19758
  Related Id(s): [PR-10153]

Full runtime dependencies of compiler-9.0.2

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

crypto-5.7

The crypto-5.7 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• NIFs and linked-in drivers are now loadable when running in an Erlang source tree on Windows.

  Own Id: OTP-19686
  Related Id(s): [PR-9969]

• Fixed bug seen to cause beam crash when doing init:restart() with crypto statically linked to OpenSSL (--disable-dynamic-ssl-lib). Bug exists since OTP 28.0.

  Own Id: OTP-19721
  Related Id(s): [GH-10061], [PR-10076]

• Fixed crypto:strong_rand_bytes failing after init:restart on MacOS with statically linked OpenSSL.

  Own Id: OTP-19725
  Related Id(s): [GH-10079], [PR-10085]

• Fixed crypto:hash(shake128 | shake256) for OpenSSL 3.4 and newer.

  Own Id: OTP-19733
  Related Id(s): [GH-9901], [PR-9982]

• Rendering of some tables in the documentation has been improved.

  Own Id: OTP-19752
  Related Id(s): [PR-10142]

Improvements and New Features

• Support for ML-DSA and ML-KEM provided by OpenSSL 3.5.

  Algorithms mldsa44, mldsa65 and mldsa87 can be passed to crypto:sign/4 and crypto:verify/5.

  New functions crypto:encapsulate_key/2 and crypto:decapsulate_key/3 can be used with mlkem512, mlkem768 and mlkem1024 to safely generate and communicate an encapsulated shared secret.

  Own Id: OTP-19657
  Related Id(s): [PR-9900]

  *** HIGHLIGHT ***

• Added support for SHA2 512/224 and SHA2 512/256 truncated hashes.

  Own Id: OTP-19666
  Related Id(s): [PR-9721]

Full runtime dependencies of crypto-5.7

erts-9.0, kernel-6.0, stdlib-3.9

debugger-6.0.3

The debugger-6.0.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed unbound error in interpreted modules

  Own Id: OTP-19719
  Related Id(s): [GH-10057], [PR-10066]

Full runtime dependencies of debugger-6.0.3

compiler-8.0, erts-15.0, kernel-10.0, stdlib-7.0, wx-2.0

edoc-1.4.1

The edoc-1.4.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Rendering of some tables in the documentation has been improved.

  Own Id: OTP-19752
  Related Id(s): [PR-10142]

Full runtime dependencies of edoc-1.4.1

erts-11.0, inets-5.10, kernel-7.0, stdlib-4.0, syntax_tools-2.0, xmerl-1.3.7

erl_interface-5.6.1

The erl_in...

Patch Package:           OTP 28.0.4
Git Tag:                 OTP-28.0.4
Date:                    2025-09-11
Trouble Report Id:       OTP-19729
Seq num:                 CVE-2016-1000107, GH-3392, PR-6223
System:                  OTP
Release:                 28
Application:             inets-9.4.1
Predecessor:             OTP 28.0.3

Check out the git tag OTP-28.0.4, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

inets-9.4.1

The inets-9.4.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a bug where a request sent to httpd server which is using CGI script to generate a response, would pollute server's environment variable - HTTP_PROXY for that request. This bug is also known as httpoxy. More information: CVE-2016-1000107

  Own Id: OTP-19729
  Related Id(s): GH-3392, PR-6223, CVE-2016-1000107

Full runtime dependencies of inets-9.4.1

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

Thanks to

Marcel Lanz

Patch Package:           OTP 28.0.3
Git Tag:                 OTP-28.0.3
Date:                    2025-09-10
Trouble Report Id:       OTP-19701, OTP-19741, OTP-19742, OTP-19748,
                         OTP-19753, OTP-19755, OTP-19761
Seq num:                 CVE-2025-48038, CVE-2025-48039,
                         CVE-2025-48040, CVE-2025-48041,
                         CVE-2025-58050, PR-10155, PR-10156, PR-10157,
                         PR-10162, PR-19755, PR-9815
System:                  OTP
Release:                 28
Application:             diameter-2.5.1, erts-16.0.3, ssh-5.3.3,
                         stdlib-7.0.3
Predecessor:             OTP 28.0.2

Check out the git tag OTP-28.0.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

POTENTIAL INCOMPATIBILITIES

• Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

  Own Id: OTP-19701
  Application(s): ssh
  Related Id(s): PR-10157, CVE-2025-48041

• Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

  Own Id: OTP-19741
  Application(s): ssh
  Related Id(s): PR-10162, CVE-2025-48040

• A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

  Own Id: OTP-19742
  Application(s): ssh
  Related Id(s): PR-10155, CVE-2025-48039

• Reject file handles exceeding size specified in RFCs (256 bytes).

  Own Id: OTP-19748
  Application(s): ssh
  Related Id(s): PR-10156, CVE-2025-48038

diameter-2.5.1

The diameter-2.5.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• With this change message_cb callback will be called with updated state for processing 'ack' after 'send'.

  Own Id: OTP-19753
  Related Id(s): PR-9815

Full runtime dependencies of diameter-2.5.1

erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0

erts-16.0.3

The erts-16.0.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on regular expressions with (*scs:) and (*ACCEPT) syntax combined.

  Own Id: OTP-19755
  Related Id(s): CVE-2025-58050

• Fixed bug that could cause crash in beam started with erl -emu_type debug +JPperf true with any type of tracing return from function.

  Own Id: OTP-19761
  Related Id(s): PR-19755

Full runtime dependencies of erts-16.0.3

kernel-9.0, sasl-3.3, stdlib-4.1

ssh-5.3.3

The ssh-5.3.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

  Own Id: OTP-19701
  Related Id(s): PR-10157, CVE-2025-48041

  *** POTENTIAL INCOMPATIBILITY ***

• Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

  Own Id: OTP-19741
  Related Id(s): PR-10162, CVE-2025-48040

  *** POTENTIAL INCOMPATIBILITY ***

• A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

  Own Id: OTP-19742
  Related Id(s): PR-10155, CVE-2025-48039

  *** POTENTIAL INCOMPATIBILITY ***

• Reject file handles exceeding size specified in RFCs (256 bytes).

  Own Id: OTP-19748
  Related Id(s): PR-10156, CVE-2025-48038

  *** POTENTIAL INCOMPATIBILITY ***

Full runtime dependencies of ssh-5.3.3

crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

stdlib-7.0.3

Note! The stdlib-7.0.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- erts-16.0.3 (first satisfied in OTP 28.0.3)

Fixed Bugs and Malfunctions

• Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on regular expressions with (*scs:) and (*ACCEPT) syntax combined.

  Own Id: OTP-19755
  Related Id(s): CVE-2025-58050

Full runtime dependencies of stdlib-7.0.3

compiler-5.0, crypto-4.5, erts-16.0.3, kernel-10.0, sasl-3.0, syntax_tools-3.2.1

Thanks to

Alberto Sartori

Patch Package:           OTP 27.3.4.3
Git Tag:                 OTP-27.3.4.3
Date:                    2025-09-10
Trouble Report Id:       OTP-19701, OTP-19719, OTP-19722, OTP-19728,
                         OTP-19729, OTP-19740, OTP-19741, OTP-19742,
                         OTP-19748, OTP-19760
Seq num:                 CVE-2025-48038, CVE-2025-48039,
                         CVE-2025-48040, CVE-2025-48041, GH-10057,
                         GH-10065, GH-10072, GH-10077, GH-10103,
                         GH-3392, PR-10066, PR-10090, PR-10093,
                         PR-10118, PR-10120, PR-10155, PR-10156,
                         PR-10157, PR-10162, PR-6223
System:                  OTP
Release:                 27
Application:             compiler-8.6.1.2, debugger-5.5.0.1,
                         erts-15.2.7.2, inets-9.3.2.1, ssh-5.2.11.3,
                         syntax_tools-3.2.2.1
Predecessor:             OTP 27.3.4.2

Check out the git tag OTP-27.3.4.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

POTENTIAL INCOMPATIBILITIES

• Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

  Own Id: OTP-19701
  Application(s): ssh
  Related Id(s): PR-10157, CVE-2025-48041

• Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

  Own Id: OTP-19741
  Application(s): ssh
  Related Id(s): PR-10162, CVE-2025-48040

• A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

  Own Id: OTP-19742
  Application(s): ssh
  Related Id(s): PR-10155, CVE-2025-48039

• Reject file handles exceeding size specified in RFCs (256 bytes).

  Own Id: OTP-19748
  Application(s): ssh
  Related Id(s): PR-10156, CVE-2025-48038

compiler-8.6.1.2

The compiler-8.6.1.2 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• In rare circumstances, the compiler could crash when compiling code using bit syntax construction.

  Own Id: OTP-19722
  Related Id(s): GH-10077, PR-10090

Full runtime dependencies of compiler-8.6.1.2

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

debugger-5.5.0.1

The debugger-5.5.0.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Fix unbound error in interpreted modules

  Own Id: OTP-19719
  Related Id(s): GH-10057, PR-10066

Full runtime dependencies of debugger-5.5.0.1

compiler-8.0, erts-15.0, kernel-10.0, stdlib-3.15, wx-2.0

erts-15.2.7.2

The erts-15.2.7.2 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• As an optimization, when the unicode:characters_to_binary/3 was used to convert from latin1 to utf8 or vice versa, it would return the original binary unchanged if it only contained 7-bit ASCII characters. That otpimization was broken in Erlang/OTP 27, and has now been mended.

  Own Id: OTP-19728
  Related Id(s): GH-10072, PR-10093

Full runtime dependencies of erts-15.2.7.2

kernel-9.0, sasl-3.3, stdlib-4.1

inets-9.3.2.1

The inets-9.3.2.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Fixed a bug where a request sent to httpd server which is using CGI script to generate a response, would pollute server's environment variable - HTTP_PROXY for that request. This bug is also known as httpoxy. More information: CVE-2016-1000107

  Own Id: OTP-19729
  Related Id(s): GH-3392, PR-6223

• Fixed a RFC 2616 violation, where a http request, made by httpc, without providing any options, would be sent with an empty TE header, without also having a TE value in the connection header. Now the default request doesn't send a TE header at all.

  Own Id: OTP-19760
  Related Id(s): GH-10065, PR-10120

Full runtime dependencies of inets-9.3.2.1

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

ssh-5.2.11.3

The ssh-5.2.11.3 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

  Own Id: OTP-19701
  Related Id(s): PR-10157, CVE-2025-48041

  *** POTENTIAL INCOMPATIBILITY ***

• Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

  Own Id: OTP-19741
  Related Id(s): PR-10162, CVE-2025-48040

  *** POTENTIAL INCOMPATIBILITY ***

• A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

  Own Id: OTP-19742
  Related Id(s): PR-10155, CVE-2025-48039

  *** POTENTIAL INCOMPATIBILITY ***

• Reject file handles exceeding size specified in RFCs (256 bytes).

  Own Id: OTP-19748
  Related Id(s): PR-10156, CVE-2025-48038

  *** POTENTIAL INCOMPATIBILITY ***

Full runtime dependencies of ssh-5.2.11.3

crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

syntax_tools-3.2.2.1

The syntax_tools-3.2.2.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Backport fix for annotating maybe to OTP-27

  Own Id: OTP-19740
  Related Id(s): GH-10103, PR-10118

Full runtime dependencies of syntax_tools-3.2.2.1

compiler-7.0, erts-9.0, kernel-5.0, stdlib-4.0

Thanks to

Marcel Lanz, Savvas Nicholas

Patch Package:           OTP 28.0.2
Git Tag:                 OTP-28.0.2
Date:                    2025-07-17
Trouble Report Id:       OTP-19661, OTP-19670, OTP-19673, OTP-19674,
                         OTP-19678, OTP-19680, OTP-19682, OTP-19683,
                         OTP-19684, OTP-19687, OTP-19690, OTP-19691,
                         OTP-19697, OTP-19699, OTP-19700, OTP-19702,
                         OTP-19703, OTP-19707, OTP-19710, OTP-19711
Seq num:                 ERIERL-1240, ERIERL-1241, ERIERL-1242,
                         GH-10001, GH-10007, GH-10028, GH-10047,
                         GH-9632, GH-9655, GH-9858, GH-9884, GH-9992,
                         PR-10003, PR-10008, PR-10016, PR-10023,
                         PR-10024, PR-10029, PR-10031, PR-10035,
                         PR-10036, PR-10039, PR-10048, PR-9887,
                         PR-9930, PR-9952, PR-9953, PR-9955, PR-9994,
                         PR-9996
System:                  OTP
Release:                 28
Application:             compiler-9.0.1, debugger-6.0.2, erts-16.0.2,
                         kernel-10.3.2, public_key-1.18.2, ssh-5.3.2,
                         ssl-11.3.2, stdlib-7.0.2, wx-2.5.1
Predecessor:             OTP 28.0.1

Check out the git tag OTP-28.0.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

OTP-28.0.2

Fixed Bugs and Malfunctions

• Fix otp_patch_apply to work with Erlang/OTP 28 and later.

  Own Id: OTP-19682
  Related Id(s): PR-9953

compiler-9.0.1

The compiler-9.0.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a bug that could cause empty bitstring matches to always succeed, even when they should not.

  Own Id: OTP-19711
  Related Id(s): GH-10047, PR-10048

Full runtime dependencies of compiler-9.0.1

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

debugger-6.0.2

The debugger-6.0.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed debugger priv dir, which was removed and caused crashes when the icons could not be found.

  Own Id: OTP-19687
  Related Id(s): GH-9858, PR-9994

Full runtime dependencies of debugger-6.0.2

compiler-8.0, erts-15.0, kernel-10.0, stdlib-7.0, wx-2.0

erts-16.0.2

The erts-16.0.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• prim_net nif used incorrect encoding for family resulting in non-functional address selection.

  Own Id: OTP-19674

• Fix windows uninstall command.

  Own Id: OTP-19683
  Related Id(s): GH-9884, GH-9992, PR-9887

• With this change erlang will start if it receives short (ms-dos compatible) path to executable.

  Own Id: OTP-19690
  Related Id(s): PR-9996

Improvements and New Features

• The maximum amount of connections for epmd on Windows platforms has been increased from 64 to 1024.

  Own Id: OTP-19710
  Related Id(s): PR-10039

Full runtime dependencies of erts-16.0.2

kernel-9.0, sasl-3.3, stdlib-4.1

kernel-10.3.2

The kernel-10.3.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• socket:sendv/3 with 'nowait' sometimes return 'completion' without 'CompletionInfo' (Windows only).

  Own Id: OTP-19661

• prim_net nif used incorrect encoding for family resulting in non-functional address selection.

  Own Id: OTP-19674

• socket:accept can return unexpected 'select_sent'.

  Own Id: OTP-19684
  Related Id(s): ERIERL-1242

• net_kernel could be blocked for a very long time when selecting distribution module for a connection if the DNS service was slow. This prevented any new connections to be set up during that time.

  Own Id: OTP-19702
  Related Id(s): ERIERL-1241, PR-10029

Improvements and New Features

• Improved documentation of CompletionStatus for asynchronous (nowait) socket operations.

  Own Id: OTP-19670
  Related Id(s): PR-9930

Full runtime dependencies of kernel-10.3.2

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0

public_key-1.18.2

The public_key-1.18.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Adjustments in include file to retain compatibility with supported ASN-1 standards, although not all record and macros are explicitly documented.

  Own Id: OTP-19678
  Related Id(s): GH-10001, PR-10008, PR-9955

• Handle certificates that are signed with RSASSA-PSS but the PSS params are specified in the 'SignatureAlgorithm' of the signed cert and not in the signer's 'SubjectPublicKeyInfo'.

  Own Id: OTP-19699
  Related Id(s): GH-9632, PR-10023

• Add modern ASN-1 specs to be able to retain support for ExtensionRequest from legacy PKCS-9 spec.

  Own Id: OTP-19703
  Related Id(s): GH-10028, PR-10031

Full runtime dependencies of public_key-1.18.2

asn1-5.0, crypto-5.0, erts-13.0, kernel-8.0, stdlib-4.0

ssh-5.3.2

The ssh-5.3.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fix file handle id generation.

  Own Id: OTP-19691
  Related Id(s): PR-10003

• Fixes a badmatch error, when SFTP operation cannot be processed due to channel closed in parallel.

  Own Id: OTP-19707
  Related Id(s): GH-9655, PR-10035, PR-10036

Full runtime dependencies of ssh-5.3.2

crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.3.2

The ssl-11.3.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Improve error message for bad arguments to underlying connect.

  Own Id: OTP-19697
  Related Id(s): GH-10007, PR-10016

Full runtime dependencies of ssl-11.3.2

crypto-5.6, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.16.4, runtime_tools-1.15.1, stdlib-7.0

stdlib-7.0.2

The stdlib-7.0.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• A set of small bugs in sort stability for `lists:sort/1` and `lists:keysort/1` has been fixed. The bug happened for only some, seemingly random, element sequences. Most sorts were stable.

  Sort stability for `lists:sort/1` is only possible to observe when sorting lists with floating point and integer numbers of the same value.

  For `lists:keysort/1` the list had to start with two tuples where the keys or the whole tuples compared equal.

  Own Id: OTP-19673
  Related Id(s): ERIERL-1240

• Fixed bug in io_lib:bformat/2 which crashed if format string contained unicode characters.

  Own Id: OTP-19680
  Related Id(s): PR-9952

Full runtime dependencies of stdlib-7.0.2

compiler-5.0, crypto-4.5, erts-16.0, kernel-10.0, sasl-3.0, syntax_tools-3.2.1

wx-2.5.1

The wx-2.5.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Don't include gl.beam in pre-built source tar file, since it depends on local configure results.

  Own Id: OTP-19700
  Related Id(s): PR-10024

Full runtime dependencies of wx-2.5.1

erts-12.0, kernel-8.0, stdlib-5.0

Thanks to

Dmytro Lytovchenko

GH-10001: #10001 GH-10007: #10007 GH-10028: #10028 GH-10047: #10047 GH-9632: #9632 GH-9655: #9655 GH-9858: #9858 GH-9884: #9884 GH-9992: #9992 PR-10003: #10003 PR-10008: #10008 PR-10016: #10016 PR-10023: #10023 PR-10024: #10024 PR-10029: #10029 PR-10031: #10031 PR-10035: #10035 PR-10036: #10036 PR-10039: #10039 PR-10048: #10048 PR-9887: #9887 PR-9930: #9930 PR-9952: #9952 PR-9953: #9953 PR-9955: #9955 PR-9994: #9994 PR-9996: #9996

Patch Package:           OTP 27.3.4.2
Git Tag:                 OTP-27.3.4.2
Date:                    2025-07-17
Trouble Report Id:       OTP-19661, OTP-19670, OTP-19673, OTP-19681,
                         OTP-19683, OTP-19684, OTP-19688, OTP-19691,
                         OTP-19697, OTP-19699, OTP-19702, OTP-19707,
                         OTP-19710, OTP-19711
Seq num:                 ERIERL-1240, ERIERL-1241, ERIERL-1242,
                         GH-10007, GH-10047, GH-9632, GH-9655,
                         GH-9884, GH-9992, PR-10003, PR-10016,
                         PR-10023, PR-10029, PR-10035, PR-10036,
                         PR-10039, PR-10048, PR-9843, PR-9887,
                         PR-9930, PR-9949
System:                  OTP
Release:                 27
Application:             asn1-5.3.4.2, compiler-8.6.1.1,
                         erts-15.2.7.1, kernel-10.2.7.2,
                         public_key-1.17.1.1, ssh-5.2.11.2,
                         ssl-11.2.12.2, stdlib-6.2.2.2
Predecessor:             OTP 27.3.4.1

Check out the git tag OTP-27.3.4.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

asn1-5.3.4.2

The asn1-5.3.4.2 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Decoding a constrained BIT STRING using JER was broken.

  Own Id: OTP-19681
  Related Id(s): PR-9949

Full runtime dependencies of asn1-5.3.4.2

erts-14.0, kernel-9.0, stdlib-5.0

compiler-8.6.1.1

The compiler-8.6.1.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Fixed a bug that could cause empty bitstring matches to always succeed, even when they should not.

  Own Id: OTP-19711
  Related Id(s): GH-10047, PR-10048

Full runtime dependencies of compiler-8.6.1.1

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

erts-15.2.7.1

The erts-15.2.7.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Fix windows uninstall command.

  Own Id: OTP-19683
  Related Id(s): GH-9884, GH-9992, PR-9887

Improvements and New Features

• The maximum amount of connections for epmd on Windows platforms has been increased from 64 to 1024.

  Own Id: OTP-19710
  Related Id(s): PR-10039

Full runtime dependencies of erts-15.2.7.1

kernel-9.0, sasl-3.3, stdlib-4.1

kernel-10.2.7.2

Note! The kernel-10.2.7.2 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.

   On a full OTP 27 installation, also the following runtime
   dependency has to be satisfied:
   -- erts-15.2.5 (first satisfied in OTP 27.3.2)

Fixed Bugs and Malfunctions

• socket:sendv/3 with 'nowait' sometimes return 'completion' without 'CompletionInfo' (Windows only).

  Own Id: OTP-19661

• socket:accept can return unexpected 'select_sent'.

  Own Id: OTP-19684
  Related Id(s): ERIERL-1242

• net_kernel could be blocked for a very long time when selecting distribution module for a connection if the DNS service was slow. This prevented any new connections to be set up during that time.

  Own Id: OTP-19702
  Related Id(s): ERIERL-1241, PR-10029

Improvements and New Features

• Improved documentation of CompletionStatus for asynchronous (nowait) socket operations.

  Own Id: OTP-19670
  Related Id(s): PR-9930

Full runtime dependencies of kernel-10.2.7.2

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0

public_key-1.17.1.1

The public_key-1.17.1.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Handle certificates that are signed with RSASSA-PSS but the PSS params are specified in the 'SignatureAlgorithm' of the signed cert and not in the signer's 'SubjectPublicKeyInfo'.

  Own Id: OTP-19699
  Related Id(s): GH-9632, PR-10023

Full runtime dependencies of public_key-1.17.1.1

asn1-5.0, crypto-5.0, erts-13.0, kernel-8.0, stdlib-4.0

ssh-5.2.11.2

The ssh-5.2.11.2 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Fix file handle id generation.

  Own Id: OTP-19691
  Related Id(s): PR-10003

• Fixes a badmatch error, when SFTP operation cannot be processed due to channel closed in parallel.

  Own Id: OTP-19707
  Related Id(s): GH-9655, PR-10035, PR-10036

Full runtime dependencies of ssh-5.2.11.2

crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.2.12.2

Note! The ssl-11.2.12.2 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.

   On a full OTP 27 installation, also the following runtime
   dependency has to be satisfied:
   -- public_key-1.16.4 (first satisfied in OTP 27.1.3)

Fixed Bugs and Malfunctions

• Improve error message for bad arguments to underlying connect.

  Own Id: OTP-19697
  Related Id(s): GH-10007, PR-10016

Improvements and New Features

• Allow the PSK identity to be the empty string in TLS-1.2 for compatibility reasons. It is allowed according to the spec although providing a proper value makes more sense.

  Own Id: OTP-19688
  Related Id(s): PR-9843

Full runtime dependencies of ssl-11.2.12.2

crypto-5.0, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.16.4, runtime_tools-1.15.1, stdlib-6.0

stdlib-6.2.2.2

The stdlib-6.2.2.2 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• A set of small bugs in sort stability for `lists:sort/1` and `lists:keysort/1` has been fixed. The bug happened for only some, seemingly random, element sequences. Most sorts were stable.

  Sort stability for `lists:sort/1` is only possible to observe when sorting lists with floating point and integer numbers of the same value.

  For `lists:keysort/1` the list had to start with two tuples where the keys or the whole tuples compared equal.

  Own Id: OTP-19673
  Related Id(s): ERIERL-1240

Full runtime dependencies of stdlib-6.2.2.2

compiler-5.0, crypto-4.5, erts-15.0, kernel-10.0, sasl-3.0

Thanks to

Dmytro Lytovchenko

GH-10007: #10007 GH-10047: #10047 GH-9632: #9632 GH-9655: #9655 GH-9884: #9884 GH-9992: #9992 PR-10003: #10003 PR-10016: #10016 PR-10023: #10023 PR-10029: #10029 PR-10035: #10035 PR-10036: #10036 PR-10039: #10039 PR-10048: #10048 PR-9843: #9843 PR-9887: #9887 PR-9930: #9930 PR-9949: #9949

Patch Package:           OTP 27.3.4.1
Git Tag:                 OTP-27.3.4.1
Date:                    2025-06-16
Trouble Report Id:       OTP-19634, OTP-19635, OTP-19637, OTP-19638,
                         OTP-19640, OTP-19646, OTP-19647, OTP-19649,
                         OTP-19653, OTP-19658, OTP-19659, OTP-19662,
                         OTP-19667, OTP-19676
Seq num:                 CVE-2025-4748, ERIERL-1225, ERIERL-1235,
                         GH-6463, GH-9102, GH-9722, GH-9771, GH-9816,
                         GH-9841, GH-9875, PR-9103, PR-9691, PR-9838,
                         PR-9846, PR-9849, PR-9859, PR-9876, PR-9896,
                         PR-9897, PR-9898, PR-9905, PR-9912, PR-9941
System:                  OTP
Release:                 27
Application:             asn1-5.3.4.1, eldap-1.2.14.1,
                         kernel-10.2.7.1, ssh-5.2.11.1, ssl-11.2.12.1,
                         stdlib-6.2.2.1, xmerl-2.1.3.1
Predecessor:             OTP 27.3.4

Check out the git tag OTP-27.3.4.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

OTP-27.3.4.1

Fixed Bugs and Malfunctions

• Disable warnings as error for ex_doc when any Erlang/OTP application has been disabled by configure.

  Own Id: OTP-19646
  Related Id(s): GH-9875, PR-9876

asn1-5.3.4.1

The asn1-5.3.4.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• The ASN.1 compiler could generate code that would cause Dialyzer with the unmatched_returns option to emit warnings.

  Own Id: OTP-19638
  Related Id(s): GH-9841, PR-9846

Full runtime dependencies of asn1-5.3.4.1

erts-14.0, kernel-9.0, stdlib-5.0

eldap-1.2.14.1

The eldap-1.2.14.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• With this change eldap's 'not' function will have specs fixed.

  Own Id: OTP-19658
  Related Id(s): PR-9859

Full runtime dependencies of eldap-1.2.14.1

asn1-3.0, erts-6.0, kernel-3.0, ssl-5.3.4, stdlib-3.4

kernel-10.2.7.1

Note! The kernel-10.2.7.1 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.

   On a full OTP 27 installation, also the following runtime
   dependency has to be satisfied:
   -- erts-15.2.5 (first satisfied in OTP 27.3.2)

Fixed Bugs and Malfunctions

• A remote shell can now exit by closing the input stream, without terminating the remote node.

  Own Id: OTP-19667
  Related Id(s): PR-9912

Improvements and New Features

• Document default buffer sizes

  Own Id: OTP-19640
  Related Id(s): GH-9722

Full runtime dependencies of kernel-10.2.7.1

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0

ssh-5.2.11.1

The ssh-5.2.11.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Various channel closing robustness improvements. Avoid crashes when channel handling process closes channel and immediately exits. Avoid breaking the protocol by sending duplicated channel-close messages. Cleanup channels which timeout during closing procedure.

  Own Id: OTP-19634
  Related Id(s): GH-9102, PR-9103

• Improved interoperability with clients acting as Paramiko.

  Own Id: OTP-19637
  Related Id(s): GH-6463, PR-9838

Full runtime dependencies of ssh-5.2.11.1

crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.2.12.1

Note! The ssl-11.2.12.1 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.

   On a full OTP 27 installation, also the following runtime
   dependency has to be satisfied:
   -- public_key-1.16.4 (first satisfied in OTP 27.1.3)

Fixed Bugs and Malfunctions

• hs_keylog callback properly handle alert in initial states, where encryption is not yet used. Also add keylog callback invocation for corner-case where server alert is encrypted with application secrets as client is already in connection state.

  Own Id: OTP-19635
  Related Id(s): ERIERL-1235, PR-9849

Improvements and New Features

• The documentation for SSL option verify_fun has been improved.

  Own Id: OTP-19676
  Related Id(s): PR-9691

Full runtime dependencies of ssl-11.2.12.1

crypto-5.0, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.16.4, runtime_tools-1.15.1, stdlib-6.0

stdlib-6.2.2.1

The stdlib-6.2.2.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• The save_module/1 command in the shell now saves both the locally defined records and the imported records using the rr/1 command.

  Own Id: OTP-19647
  Related Id(s): GH-9816, PR-9897

• It's now possible to write lists:map(fun is_atom/1, []) or lists:map(fun my_func/1, []), in the shell, instead of lists:map(fun erlang:is_atom/1, []) or lists:map(fun shell_default:my_func/1, []).

  Own Id: OTP-19649
  Related Id(s): GH-9771, PR-9898

• Properly strip the leading / and drive letter from filepaths when zipping and unzipping archives.

  Thanks to Wander Nauta for finding and responsibly disclosing this vulnerability to the Erlang/OTP project.

  Own Id: OTP-19653
  Related Id(s): PR-9941, CVE-2025-4748

• Shell no longer crashes when requesting to autocomplete map keys containing non-atoms.

  Own Id: OTP-19659
  Related Id(s): PR-9896

• A remote shell can now exit by closing the input stream, without terminating the remote node.

  Own Id: OTP-19667
  Related Id(s): PR-9912

Full runtime dependencies of stdlib-6.2.2.1

compiler-5.0, crypto-4.5, erts-15.0, kernel-10.0, sasl-3.0

xmerl-2.1.3.1

The xmerl-2.1.3.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• The type specs of xmerl_scan:file/2 and xmerl_scan:string/2 has been updated to return dynamic/0. Due to hook functions they can return any user defined term.

  Own Id: OTP-19662
  Related Id(s): ERIERL-1225, PR-9905

Full runtime dependencies of xmerl-2.1.3.1

erts-6.0, kernel-8.4, stdlib-2.5

Thanks to

Dan Janowski, Ilya Averyanov, Yaroslav Maslennikov