OTP 25.1 Released

proxyles · September 21, 2022, 1:04pm

OTP 25.1

Erlang/OTP 25.1 is the first maintenance patch package for OTP 25, with mostly bug fixes as well as quite many small improvements.

Below are some highlights of the release:

crypto:

Crypto is now considered to be usable with the OpenSSL
3.0 cryptolib for production code.
ENGINE and FIPS are not yet fully functional.
Changed the behaviour of the engine load/unload
functions

ssl:

A vulnerability has been discovered and corrected. It
is registered as CVE-2022-37026 “Client Authentication
Bypass”. Corrections have been released on the
supported tracks with patches 23.3.4.15, 24.3.4.2, and
25.0.2. The vulnerability might also exist in older OTP
versions. We recommend that impacted users upgrade to
one of these versions or later on the respective
tracks. OTP 25.1 would be an even better choice.
Impacted are those who are running an ssl/tls/dtls
server using the ssl application either directly or
indirectly via other applications. For example via
inets (httpd), cowboy, etc. Note that the vulnerability
only affects servers that request client certification,
that is sets the option {verify, verify_peer}.

For more details and downloads follow this link

The Erlang/OTP source can also be found at GitHub on the official Erlang repository,

NelsonVides · September 23, 2022, 4:37pm

After upgrading to this release, rebar3 eunit is failing after the exact_execution is not in the options list, in here otp/eunit_data.erl at c194380712236c301188f0b401352f14c608c145 · u3s/otp · GitHub

To be precise, the error is that options is an empty list! So all proplists:X/2 will fail with a function_clause error when executed.

mikpe · September 23, 2022, 8:12pm

Check the Erlang/OTP github repo, both open issues and pull requests. There are multiple reports about rebar3 eunit failing with OTP-25.1. In particular see eunit: Fix `$ rebar3 eunit` error on OTP 25.1 by sile · Pull Request #6322 · erlang/otp · GitHub . I would recommend people to stay on 25.0.4 until a patch release (likely 25.1.1 but who knows) fixes the issue.

kuba · September 27, 2022, 12:30pm

Eunit fix is planned to be released with OTP25.1.1 this week.

kuba · September 30, 2022, 10:52am

25.1.1 will be delayed till Monday, sorry for inconvenience.

abhilash.vankayala · November 22, 2022, 6:06pm

Currently we are using Erlang 25.1.2 Version for the purpose of RabbitMQ and we have a security Vulnerability identified as part of Erlang otp installation, which indicates Erlang 25.1.2 using Crypto.dll (5.2.1) which using a vulnerable Openssl 1.1.1q. Is this vulnerable valid and is crypto.dll using OpenSll.1.1.1q or some other latest version?

ingela · November 23, 2022, 8:14am

OTP-25.1.2 does not depend on a special version of OpenSSL that depends on your build. If the vulnerability is for OpenSSL protocol implementation it is not relevant for OTP only if the vulnerability is on the libcrypto functions will it also affect OTP.

AstonJ · January 7, 2023, 9:20pm

A post was split to a new topic: Noticed that compiling OTP with kerl or from the source binaries (elf files) are built with the debug info - is that intentional?

AstonJ · March 13, 2023, 3:21pm

A post was split to a new topic: Will Erlang/OTP 25+ has plan to fully support FIPS?