Patch Package: OTP 25.3.2.18
Git Tag: OTP-25.3.2.18
Date: 2025-02-20
Trouble Report Id: OTP-19240, OTP-19466, OTP-19495
Seq num: CVE-2025-26618, ERIERL-1173, GH-8208,
GH-9208, PR-8209, PR-9286
System: OTP
Release: 25
Application: erts-13.2.2.14, public_key-1.13.3.6,
ssh-4.15.3.10
Predecessor: OTP 25.3.2.17
Check out the git tag OTP-25.3.2.18, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- erts-13.2.2.14 --------------------------------------------------
---------------------------------------------------------------------
Note! The erts-13.2.2.14 application *cannot* be applied
independently of other applications on an arbitrary OTP 25
installation.
On a full OTP 25 installation, also the following runtime
dependencies have to be satisfied:
-- kernel-8.5 (first satisfied in OTP 25.1)
-- stdlib-4.1 (first satisfied in OTP 25.1)
--- Fixed Bugs and Malfunctions ---
OTP-19495 Application(s): erts
Related Id(s): GH-8208, PR-8209
Fixed BEAM crash when a custom thread sends a large map
(>128 keys) externally encoded with for example
erl_drv_send_term().
Full runtime dependencies of erts-13.2.2.14: kernel-8.5, sasl-3.3,
stdlib-4.1
---------------------------------------------------------------------
--- public_key-1.13.3.6 ---------------------------------------------
---------------------------------------------------------------------
The public_key-1.13.3.6 application can be applied independently of
other applications on a full OTP 25 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19240 Application(s): public_key
Related Id(s): GH-9208, PR-9286
Consider keyCertSign to compatible with extended key
usage for TLS client/server auth in CAs, adhere to wide
spread implementations
Full runtime dependencies of public_key-1.13.3.6: asn1-3.0,
crypto-4.6, erts-6.0, kernel-3.0, stdlib-3.5
---------------------------------------------------------------------
--- ssh-4.15.3.10 ---------------------------------------------------
---------------------------------------------------------------------
The ssh-4.15.3.10 application can be applied independently of other
applications on a full OTP 25 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19466 Application(s): ssh
Related Id(s): ERIERL-1173, CVE-2025-26618
SFTP packets exceeding max packet size are not
processed and dropped.
Full runtime dependencies of ssh-4.15.3.10: crypto-5.0, erts-11.0,
kernel-6.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-3.15
---------------------------------------------------------------------
--- Thanks to -------------------------------------------------------
---------------------------------------------------------------------
Simon Cornish
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
2 Likes