Patch Package: OTP 26.2.5.11
Git Tag: OTP-26.2.5.11
Date: 2025-04-16
Trouble Report Id: OTP-19496, OTP-19582, OTP-19595
Seq num: CVE-2025-32433, GH-9190, PR-9463, PR-9679
System: OTP
Release: 26
Application: ssh-5.1.4.8, xmerl-1.3.34.2
Predecessor: OTP 26.2.5.10
Check out the git tag OTP-26.2.5.11, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- ssh-5.1.4.8 -----------------------------------------------------
---------------------------------------------------------------------
The ssh-5.1.4.8 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19582 Application(s): ssh
Related Id(s): PR-9679
Reception of wrong Unicode does not cause unnecessary
processing. US-ASCII fields are not decoded as Unicode.
OTP-19595 Application(s): ssh
Related Id(s): CVE-2025-32433
SSH daemon disconnects upon receiving connection
protocol message for unauthenticated used.
Thanks to Fabian Bäumer, Marcel Maehren, Marcus
Brinkmann, Nurullah Erinola, Jörg Schwenk (Ruhr
University Bochum).
Full runtime dependencies of ssh-5.1.4.8: crypto-5.0, erts-14.0,
kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0,
stdlib-5.0
---------------------------------------------------------------------
--- xmerl-1.3.34.2 --------------------------------------------------
---------------------------------------------------------------------
The xmerl-1.3.34.2 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19496 Application(s): xmerl
Related Id(s): GH-9190, PR-9463
Some old-style catch expressions in the
xmerl_sax_parser when the continuation fun was called
caused the stack to grow until all free memory was
exhausted. These parts have been rewritten so that the
parser now runs correctly without growing the stack. At
the same time all old-style catch expressions in xmerl
were replaced with try/catch.
Full runtime dependencies of xmerl-1.3.34.2: erts-6.0, kernel-8.4,
stdlib-2.5
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
2 Likes