Patch Package: OTP 26.0.1
Git Tag: OTP-26.0.1
Date: 2023-06-08
Trouble Report Id: OTP-18576, OTP-18578, OTP-18581, OTP-18583,
OTP-18584, OTP-18585, OTP-18587, OTP-18588,
OTP-18593, OTP-18595, OTP-18596, OTP-18597,
OTP-18600, OTP-18601, OTP-18602, OTP-18603,
OTP-18604, OTP-18617, OTP-18619, OTP-18621,
OTP-18632
Seq num: ERIERL-944, GH-7213, GH-7247, GH-7248,
GH-7251, GH-7252, GH-7259, GH-7264, GH-7282,
GH-7288, GH-7297, GH-7301, GH-7303, GH-7338,
GH-7339
System: OTP
Release: 26
Application: compiler-8.3.1, erts-14.0.1, inets-9.0.1,
kernel-9.0.1, ssl-11.0.1, stdlib-5.0.1,
xmerl-1.3.32
Predecessor: OTP 26.0
Check out the git tag OTP-26.0.1, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- compiler-8.3.1 --------------------------------------------------
---------------------------------------------------------------------
The compiler-8.3.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18576 Application(s): compiler
Fixed a bug where a failing bsl expression in a guard
threw an exception instead of causing the guard to
fail.
OTP-18581 Application(s): compiler
Related Id(s): GH-7251
Fixed a bug that would case the validator to reject
legal code.
OTP-18583 Application(s): compiler
Related Id(s): GH-7259
The compiler could re-order clauses matching binaries
so that the incorrect clause would match. That could
only happen for code that used the option
{error_location,line} or for code without line or
column number information (e.g. generated by a parse
transform).
OTP-18593 Application(s): compiler
Related Id(s): GH-7252
Complex guard expression using the or operator and
guard BIFs that can fail could sometimes be miscompiled
so that the guard would succeed even if a call to a
guard BIF failed.
OTP-18600 Application(s): compiler
Related Id(s): GH-7248
With optimizations disabled, a try/catch construct
could return an incorrect value.
OTP-18601 Application(s): compiler
In rare circumstance, a combination of binary
construction and binary_part/3 would cause the compiler
to generate unsafe code that would crash the runtime
system.
OTP-18617 Application(s): compiler
Related Id(s): GH-7338
The compiler could be very slow when compiling guards
with multiple guard tests separated with 'or' or ';'.
OTP-18619 Application(s): compiler
Related Id(s): GH-7339
Complex guard expressions using 'or' and map updates
could succeed even if the map update failed.
Full runtime dependencies of compiler-8.3.1: crypto-5.1, erts-13.0,
kernel-8.4, stdlib-5.0
---------------------------------------------------------------------
--- erts-14.0.1 -----------------------------------------------------
---------------------------------------------------------------------
The erts-14.0.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18585 Application(s): erts
Related Id(s): OTP-18029
Build of the socket nif failed on Solaris 11.
OTP-18587 Application(s): erts
Fixed two reduction-counting bugs relating to binaries.
OTP-18597 Application(s): erts
Constructing a binary segment not aligned with a byte
boundary, with a size not fitting in 31 bits, and with
a value not fitting in a 64-bit word could crash the
runtime system.
OTP-18602 Application(s): erts
Related Id(s): GH-7282
When a binary construction failed because of bad size
for a segment, the error information was not always
correct.
OTP-18621 Application(s): erts
Related Id(s): GH-7288
Fixed a crash when calling a fun that was defined in a
module that had been upgraded.
Full runtime dependencies of erts-14.0.1: kernel-9.0, sasl-3.3,
stdlib-4.1
---------------------------------------------------------------------
--- inets-9.0.1 -----------------------------------------------------
---------------------------------------------------------------------
The inets-9.0.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18604 Application(s): inets
Related Id(s): GH-7303, PR-7306
Do not make the default ssl options by calling
httpc:ssl_verify_host_options(true) if ssl options are
supplied by the user.
Full runtime dependencies of inets-9.0.1: erts-14.0, kernel-9.0,
mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0,
stdlib-5.0, stdlib-5.0
---------------------------------------------------------------------
--- kernel-9.0.1 ----------------------------------------------------
---------------------------------------------------------------------
The kernel-9.0.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18578 Application(s): kernel, stdlib
Related Id(s): GH-7213
The POSIX error exdev was sometimes incorrectly
described as "cross domain link" in some error
messages.
OTP-18584 Application(s): kernel
Related Id(s): #7238
Corrected the socket send function description (send
with Timeout = nowait). The send function(s) could not
return {ok, {RestData, SelectInfo}}
Full runtime dependencies of kernel-9.0.1: crypto-5.0, erts-14.0,
sasl-3.0, stdlib-5.0
---------------------------------------------------------------------
--- ssl-11.0.1 ------------------------------------------------------
---------------------------------------------------------------------
The ssl-11.0.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18588 Application(s): ssl
Related Id(s): GH-7264, PR-7277
Make sure that selection of client certificates handle
both TLS-1.3 and TLS-1.2 names correctly. Could cause
valid client certificate to not be selected, and an
empty client certificate message to be sent to server.
OTP-18596 Application(s): ssl
Related Id(s): GH-7247
Improved ssl:format_error/1 to handle more error
tuples.
OTP-18603 Application(s): ssl
Related Id(s): GH-7297
Fixed hanging ssl:connect when ssl application is not
started.
OTP-18632 Application(s): ssl
Related Id(s): GH-7301, PR-7300
Correct handling of retransmission timers, current
behavior could cause unwanted delays.
Full runtime dependencies of ssl-11.0.1: crypto-5.0, erts-14.0,
inets-5.10.7, kernel-9.0, public_key-1.11.3, runtime_tools-1.15.1,
stdlib-4.1
---------------------------------------------------------------------
--- stdlib-5.0.1 ----------------------------------------------------
---------------------------------------------------------------------
The stdlib-5.0.1 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18578 Application(s): kernel, stdlib
Related Id(s): GH-7213
The POSIX error exdev was sometimes incorrectly
described as "cross domain link" in some error
messages.
Full runtime dependencies of stdlib-5.0.1: compiler-5.0, crypto-4.5,
erts-13.1, kernel-9.0, sasl-3.0
---------------------------------------------------------------------
--- xmerl-1.3.32 ----------------------------------------------------
---------------------------------------------------------------------
The xmerl-1.3.32 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-18595 Application(s): xmerl
Related Id(s): ERIERL-944
New options to xmerl_scan and xmerl_sax_parser so one
can limit the behaviour of the parsers to avoid some
XML security issues.
xmerl_scan gets one new option:
-- {allow_entities, Boolean} -- Gives the possibility
to disallow entities by setting this option to false
(true is default)
xmerl_sax_parser gets the following options:
-- disallow_entities -- Don't allow entities in
document
-- {entity_recurse_limit, N} -- Set a limit on entity
recursion depth (default is 3)
-- {external_entities, AllowedType} -- Specify which
types of external entities that are allowed, this also
affect external DTD's. The types are all(default), file
and none
-- {fail_undeclared_ref, Boolean} -- Sets the behavior
for undeclared references due to an external file is
not parsed (true is default)
The old option skip_external_dtd is still valid and the
same as {external_entities, none} and
{fail_undeclared_ref, false} but just affects DTD's and
not other external references.
Full runtime dependencies of xmerl-1.3.32: erts-6.0, kernel-3.0,
stdlib-2.5
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
5 Likes
I guess the OTP did not get the XML entity memo a decade or so ago.
Something any Nextroll folks here being in that space may find amusing, I remember back in the bad old days of being an employee having fun putting XML entities in our VAST responses to SpotX and watching the hilarity ensue…
No idea if they ever fixed that…
Interesting to know how much networking kit is out there by Ericsson (and Cisco which I think uses Erlang widely too) has this enabled? Anyone want to update their bespoke NETCONF devices to start returning entities? 
1 Like