Patch Package OTP 22.3.4.27 Released

Erlang News & Announcements Erlang News
1 
Patch Package:           OTP 22.3.4.27
Git Tag:                 OTP-22.3.4.27
Date:                    2024-03-18
Trouble Report Id:       OTP-18169, OTP-18170, OTP-18175, OTP-18197,
                         OTP-18258, OTP-18897, OTP-19002
Seq num:                 ERIERL-1041, GH-6165, GH-6309, PR-6134,
                         PR-6135, PR-6142, PR-6213, PR-6324
System:                  OTP
Release:                 22
Application:             erts-10.7.2.19, ssh-4.9.1.5
Predecessor:             OTP 22.3.4.26

 Check out the git tag OTP-22.3.4.27, and build a full OTP system
 including documentation. Apply one or more applications from this
 build as patches to your installation using the 'otp_patch_apply'
 tool. For information on install requirements, see descriptions for
 each application version below.

 ---------------------------------------------------------------------
 --- POTENTIAL INCOMPATIBILITIES -------------------------------------
 ---------------------------------------------------------------------

  OTP-18897    Application(s): ssh

               With this change (being response to CVE-2023-48795),
               ssh can negotiate "strict KEX" OpenSSH extension with
               peers supporting it; also
               'chacha20-poly1305@openssh.com' algorithm becomes a
               less preferred cipher.

               If strict KEX availability cannot be ensured on both
               connection sides, affected encryption modes(CHACHA and
               CBC) can be disabled with standard ssh configuration.
               This will provide protection against vulnerability, but
               at a cost of affecting interoperability. See
               Configuring algorithms in SSH User's Guide.


 ---------------------------------------------------------------------
 --- erts-10.7.2.19 --------------------------------------------------
 ---------------------------------------------------------------------

 Note! The erts-10.7.2.19 application *cannot* be applied
       independently of other applications on an arbitrary OTP 22
       installation.

       On a full OTP 22 installation, also the following runtime
       dependency has to be satisfied:
       -- kernel-6.5.2.5 (first satisfied in OTP 22.3.4.25)


 --- Fixed Bugs and Malfunctions ---

  OTP-18169    Application(s): erts
               Related Id(s): PR-6134

               A race could cause process_info(Pid, message_queue_len)
               on other processes to return invalid results.


  OTP-18170    Application(s): erts
               Related Id(s): PR-6135

               Fixed reduction counting for handling process system
               tasks.


  OTP-18175    Application(s): erts
               Related Id(s): PR-6142

               Priority elevation of terminating processes did not
               work which could cause execution of such processes to
               be delayed.


  OTP-18197    Application(s): erts
               Related Id(s): GH-6165, PR-6213

               The erlang:monotonic_time/1, erlang:system_time/1,
               erlang:time_offset/1, and os:system_time/1 BIFs
               erroneously failed when passed the argument native.


  OTP-18258    Application(s): erts
               Related Id(s): GH-6309, PR-6324

               Notifications about available distribution data sent to
               distribution controller processes could be lost.
               Distribution controller processes can be used when
               implementing an alternative distribution carrier. The
               default distribution over tcp was not effected and the
               bug was also not present on x86/x86_64 platforms.


 Full runtime dependencies of erts-10.7.2.19: kernel-6.5.2.5,
 sasl-3.3, stdlib-3.5


 ---------------------------------------------------------------------
 --- ssh-4.9.1.5 -----------------------------------------------------
 ---------------------------------------------------------------------

 Note! The ssh-4.9.1.5 application *cannot* be applied independently
       of other applications on an arbitrary OTP 22 installation.

       On a full OTP 22 installation, also the following runtime
       dependency has to be satisfied:
       -- crypto-4.6.4 (first satisfied in OTP 22.2.2)


 --- Fixed Bugs and Malfunctions ---

  OTP-18897    Application(s): ssh

               *** POTENTIAL INCOMPATIBILITY ***

               With this change (being response to CVE-2023-48795),
               ssh can negotiate "strict KEX" OpenSSH extension with
               peers supporting it; also
               'chacha20-poly1305@openssh.com' algorithm becomes a
               less preferred cipher.

               If strict KEX availability cannot be ensured on both
               connection sides, affected encryption modes(CHACHA and
               CBC) can be disabled with standard ssh configuration.
               This will provide protection against vulnerability, but
               at a cost of affecting interoperability. See
               Configuring algorithms in SSH User's Guide.


  OTP-19002    Application(s): ssh
               Related Id(s): ERIERL-1041

               With this change, KEX strict terminal message is
               emitted with debug verbosity.


 Full runtime dependencies of ssh-4.9.1.5: crypto-4.6.4, erts-9.0,
 kernel-5.3, public_key-1.6.1, stdlib-3.4.1


 ---------------------------------------------------------------------
 ---------------------------------------------------------------------
 ---------------------------------------------------------------------
1 Like