Patch Package OTP 26.2.5.11 Released

Patch Package:           OTP 26.2.5.11
Git Tag:                 OTP-26.2.5.11
Date:                    2025-04-16
Trouble Report Id:       OTP-19496, OTP-19582, OTP-19595
Seq num:                 CVE-2025-32433, GH-9190, PR-9463, PR-9679
System:                  OTP
Release:                 26
Application:             ssh-5.1.4.8, xmerl-1.3.34.2
Predecessor:             OTP 26.2.5.10

 Check out the git tag OTP-26.2.5.11, and build a full OTP system
 including documentation. Apply one or more applications from this
 build as patches to your installation using the 'otp_patch_apply'
 tool. For information on install requirements, see descriptions for
 each application version below.

 ---------------------------------------------------------------------
 --- ssh-5.1.4.8 -----------------------------------------------------
 ---------------------------------------------------------------------

 The ssh-5.1.4.8 application can be applied independently of other
 applications on a full OTP 26 installation.

 --- Fixed Bugs and Malfunctions ---

  OTP-19582    Application(s): ssh
               Related Id(s): PR-9679

               Reception of wrong Unicode does not cause unnecessary
               processing. US-ASCII fields are not decoded as Unicode.


  OTP-19595    Application(s): ssh
               Related Id(s): CVE-2025-32433

               SSH daemon disconnects upon receiving connection
               protocol message for unauthenticated used.

               Thanks to Fabian Bäumer, Marcel Maehren, Marcus
               Brinkmann, Nurullah Erinola, Jörg Schwenk (Ruhr
               University Bochum).


 Full runtime dependencies of ssh-5.1.4.8: crypto-5.0, erts-14.0,
 kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0,
 stdlib-5.0


 ---------------------------------------------------------------------
 --- xmerl-1.3.34.2 --------------------------------------------------
 ---------------------------------------------------------------------

 The xmerl-1.3.34.2 application can be applied independently of other
 applications on a full OTP 26 installation.

 --- Fixed Bugs and Malfunctions ---

  OTP-19496    Application(s): xmerl
               Related Id(s): GH-9190, PR-9463

               Some old-style catch expressions in the
               xmerl_sax_parser when the continuation fun was called
               caused the stack to grow until all free memory was
               exhausted. These parts have been rewritten so that the
               parser now runs correctly without growing the stack. At
               the same time all old-style catch expressions in xmerl
               were replaced with try/catch.


 Full runtime dependencies of xmerl-1.3.34.2: erts-6.0, kernel-8.4,
 stdlib-2.5


 ---------------------------------------------------------------------
 ---------------------------------------------------------------------
 ---------------------------------------------------------------------
2 Likes