Patch Package OTP 26.2.5.13 Released

Patch Package:           OTP 26.2.5.13
Git Tag:                 OTP-26.2.5.13
Date:                    2025-06-16
Trouble Report Id:       OTP-19634, OTP-19637, OTP-19638, OTP-19649,
                         OTP-19653, OTP-19667
Seq num:                 CVE-2025-4748, GH-6463, GH-9102, GH-9771,
                         GH-9841, PR-9103, PR-9838, PR-9846, PR-9898,
                         PR-9912, PR-9941
System:                  OTP
Release:                 26
Application:             asn1-5.2.2.1, kernel-9.2.4.9, ssh-5.1.4.10,
                         stdlib-5.2.3.4
Predecessor:             OTP 26.2.5.12

 Check out the git tag OTP-26.2.5.13, and build a full OTP system
 including documentation. Apply one or more applications from this
 build as patches to your installation using the 'otp_patch_apply'
 tool. For information on install requirements, see descriptions for
 each application version below.

 ---------------------------------------------------------------------
 --- asn1-5.2.2.1 ----------------------------------------------------
 ---------------------------------------------------------------------

 The asn1-5.2.2.1 application can be applied independently of other
 applications on a full OTP 26 installation.

 --- Fixed Bugs and Malfunctions ---

  OTP-19638    Application(s): asn1
               Related Id(s): GH-9841, PR-9846

               The ASN.1 compiler could generate code that would cause
               Dialyzer with the unmatched_returns option to emit
               warnings.


 Full runtime dependencies of asn1-5.2.2.1: erts-11.0, kernel-7.0,
 stdlib-3.13


 ---------------------------------------------------------------------
 --- kernel-9.2.4.9 --------------------------------------------------
 ---------------------------------------------------------------------

 The kernel-9.2.4.9 application can be applied independently of other
 applications on a full OTP 26 installation.

 --- Fixed Bugs and Malfunctions ---

  OTP-19667    Application(s): kernel, stdlib
               Related Id(s): PR-9912

               A remote shell can now exit by closing the input
               stream, without terminating the remote node.


 Full runtime dependencies of kernel-9.2.4.9: crypto-5.0, erts-14.0,
 sasl-3.0, stdlib-5.0


 ---------------------------------------------------------------------
 --- ssh-5.1.4.10 ----------------------------------------------------
 ---------------------------------------------------------------------

 The ssh-5.1.4.10 application can be applied independently of other
 applications on a full OTP 26 installation.

 --- Fixed Bugs and Malfunctions ---

  OTP-19634    Application(s): ssh
               Related Id(s): GH-9102, PR-9103

               Various channel closing robustness improvements. Avoid
               crashes when channel handling process closes channel
               and immediately exits. Avoid breaking the protocol by
               sending duplicated channel-close messages. Cleanup
               channels which timeout during closing procedure.


  OTP-19637    Application(s): ssh
               Related Id(s): GH-6463, PR-9838

               Improved interoperability with clients acting as
               Paramiko.


 Full runtime dependencies of ssh-5.1.4.10: crypto-5.0, erts-14.0,
 kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0,
 stdlib-5.0


 ---------------------------------------------------------------------
 --- stdlib-5.2.3.4 --------------------------------------------------
 ---------------------------------------------------------------------

 The stdlib-5.2.3.4 application can be applied independently of other
 applications on a full OTP 26 installation.

 --- Fixed Bugs and Malfunctions ---

  OTP-19649    Application(s): stdlib
               Related Id(s): GH-9771, PR-9898

               It's now possible to write lists:map(fun is_atom/1, [])
               or lists:map(fun my_func/1, []), in the shell, instead
               of lists:map(fun erlang:is_atom/1, []) or lists:map(fun
               shell_default:my_func/1, []).


  OTP-19653    Application(s): stdlib
               Related Id(s): PR-9941, CVE-2025-4748

               Properly strip the leading / and drive letter from
               filepaths when zipping and unzipping archives.

               Thanks to Wander Nauta for finding and responsibly
               disclosing this vulnerability to the Erlang/OTP
               project.


  OTP-19667    Application(s): kernel, stdlib
               Related Id(s): PR-9912

               A remote shell can now exit by closing the input
               stream, without terminating the remote node.


 Full runtime dependencies of stdlib-5.2.3.4: compiler-5.0,
 crypto-4.5, erts-13.1, kernel-9.0, sasl-3.0


 ---------------------------------------------------------------------
 --- Thanks to -------------------------------------------------------
 ---------------------------------------------------------------------

 Yaroslav Maslennikov


 ---------------------------------------------------------------------
 ---------------------------------------------------------------------
 ---------------------------------------------------------------------
1 Like