Patch Package:           OTP 28.0.2
Git Tag:                 OTP-28.0.2
Date:                    2025-07-17
Trouble Report Id:       OTP-19661, OTP-19670, OTP-19673, OTP-19674,
                         OTP-19678, OTP-19680, OTP-19682, OTP-19683,
                         OTP-19684, OTP-19687, OTP-19690, OTP-19691,
                         OTP-19697, OTP-19699, OTP-19700, OTP-19702,
                         OTP-19703, OTP-19707, OTP-19710, OTP-19711
Seq num:                 ERIERL-1240, ERIERL-1241, ERIERL-1242,
                         GH-10001, GH-10007, GH-10028, GH-10047,
                         GH-9632, GH-9655, GH-9858, GH-9884, GH-9992,
                         PR-10003, PR-10008, PR-10016, PR-10023,
                         PR-10024, PR-10029, PR-10031, PR-10035,
                         PR-10036, PR-10039, PR-10048, PR-9887,
                         PR-9930, PR-9952, PR-9953, PR-9955, PR-9994,
                         PR-9996
System:                  OTP
Release:                 28
Application:             compiler-9.0.1, debugger-6.0.2, erts-16.0.2,
                         kernel-10.3.2, public_key-1.18.2, ssh-5.3.2,
                         ssl-11.3.2, stdlib-7.0.2, wx-2.5.1
Predecessor:             OTP 28.0.1

Check out the git tag OTP-28.0.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

OTP-28.0.2

Fixed Bugs and Malfunctions

• Fix otp_patch_apply to work with Erlang/OTP 28 and later.

  Own Id: OTP-19682
  Related Id(s): PR-9953

compiler-9.0.1

The compiler-9.0.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a bug that could cause empty bitstring matches to always succeed, even when they should not.

  Own Id: OTP-19711
  Related Id(s): GH-10047, PR-10048

Full runtime dependencies of compiler-9.0.1

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

debugger-6.0.2

The debugger-6.0.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed debugger priv dir, which was removed and caused crashes when the icons could not be found.

  Own Id: OTP-19687
  Related Id(s): GH-9858, PR-9994

Full runtime dependencies of debugger-6.0.2

compiler-8.0, erts-15.0, kernel-10.0, stdlib-7.0, wx-2.0

erts-16.0.2

The erts-16.0.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• prim_net nif used incorrect encoding for family resulting in non-functional address selection.

  Own Id: OTP-19674

• Fix windows uninstall command.

  Own Id: OTP-19683
  Related Id(s): GH-9884, GH-9992, PR-9887

• With this change erlang will start if it receives short (ms-dos compatible) path to executable.

  Own Id: OTP-19690
  Related Id(s): PR-9996

Improvements and New Features

• The maximum amount of connections for epmd on Windows platforms has been increased from 64 to 1024.

  Own Id: OTP-19710
  Related Id(s): PR-10039

Full runtime dependencies of erts-16.0.2

kernel-9.0, sasl-3.3, stdlib-4.1

kernel-10.3.2

The kernel-10.3.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• socket:sendv/3 with 'nowait' sometimes return 'completion' without 'CompletionInfo' (Windows only).

  Own Id: OTP-19661

• prim_net nif used incorrect encoding for family resulting in non-functional address selection.

  Own Id: OTP-19674

• socket:accept can return unexpected 'select_sent'.

  Own Id: OTP-19684
  Related Id(s): ERIERL-1242

• net_kernel could be blocked for a very long time when selecting distribution module for a connection if the DNS service was slow. This prevented any new connections to be set up during that time.

  Own Id: OTP-19702
  Related Id(s): ERIERL-1241, PR-10029

Improvements and New Features

• Improved documentation of CompletionStatus for asynchronous (nowait) socket operations.

  Own Id: OTP-19670
  Related Id(s): PR-9930

Full runtime dependencies of kernel-10.3.2

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0

public_key-1.18.2

The public_key-1.18.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Adjustments in include file to retain compatibility with supported ASN-1 standards, although not all record and macros are explicitly documented.

  Own Id: OTP-19678
  Related Id(s): GH-10001, PR-10008, PR-9955

• Handle certificates that are signed with RSASSA-PSS but the PSS params are specified in the 'SignatureAlgorithm' of the signed cert and not in the signer's 'SubjectPublicKeyInfo'.

  Own Id: OTP-19699
  Related Id(s): GH-9632, PR-10023

• Add modern ASN-1 specs to be able to retain support for ExtensionRequest from legacy PKCS-9 spec.

  Own Id: OTP-19703
  Related Id(s): GH-10028, PR-10031

Full runtime dependencies of public_key-1.18.2

asn1-5.0, crypto-5.0, erts-13.0, kernel-8.0, stdlib-4.0

ssh-5.3.2

The ssh-5.3.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fix file handle id generation.

  Own Id: OTP-19691
  Related Id(s): PR-10003

• Fixes a badmatch error, when SFTP operation cannot be processed due to channel closed in parallel.

  Own Id: OTP-19707
  Related Id(s): GH-9655, PR-10035, PR-10036

Full runtime dependencies of ssh-5.3.2

crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.3.2

The ssl-11.3.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Improve error message for bad arguments to underlying connect.

  Own Id: OTP-19697
  Related Id(s): GH-10007, PR-10016

Full runtime dependencies of ssl-11.3.2

crypto-5.6, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.16.4, runtime_tools-1.15.1, stdlib-7.0

stdlib-7.0.2

The stdlib-7.0.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• A set of small bugs in sort stability for `lists:sort/1` and `lists:keysort/1` has been fixed. The bug happened for only some, seemingly random, element sequences. Most sorts were stable.

  Sort stability for `lists:sort/1` is only possible to observe when sorting lists with floating point and integer numbers of the same value.

  For `lists:keysort/1` the list had to start with two tuples where the keys or the whole tuples compared equal.

  Own Id: OTP-19673
  Related Id(s): ERIERL-1240

• Fixed bug in io_lib:bformat/2 which crashed if format string contained unicode characters.

  Own Id: OTP-19680
  Related Id(s): PR-9952

Full runtime dependencies of stdlib-7.0.2

compiler-5.0, crypto-4.5, erts-16.0, kernel-10.0, sasl-3.0, syntax_tools-3.2.1

wx-2.5.1

The wx-2.5.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Don't include gl.beam in pre-built source tar file, since it depends on local configure results.

  Own Id: OTP-19700
  Related Id(s): PR-10024

Full runtime dependencies of wx-2.5.1

erts-12.0, kernel-8.0, stdlib-5.0

Thanks to

Dmytro Lytovchenko

GH-10001: #10001 GH-10007: #10007 GH-10028: #10028 GH-10047: #10047 GH-9632: #9632 GH-9655: #9655 GH-9858: #9858 GH-9884: #9884 GH-9992: #9992 PR-10003: #10003 PR-10008: #10008 PR-10016: #10016 PR-10023: #10023 PR-10024: #10024 PR-10029: #10029 PR-10031: #10031 PR-10035: #10035 PR-10036: #10036 PR-10039: #10039 PR-10048: #10048 PR-9887: #9887 PR-9930: #9930 PR-9952: #9952 PR-9953: #9953 PR-9955: #9955 PR-9994: #9994 PR-9996: #9996

Patch Package:           OTP 27.3.4.2
Git Tag:                 OTP-27.3.4.2
Date:                    2025-07-17
Trouble Report Id:       OTP-19661, OTP-19670, OTP-19673, OTP-19681,
                         OTP-19683, OTP-19684, OTP-19688, OTP-19691,
                         OTP-19697, OTP-19699, OTP-19702, OTP-19707,
                         OTP-19710, OTP-19711
Seq num:                 ERIERL-1240, ERIERL-1241, ERIERL-1242,
                         GH-10007, GH-10047, GH-9632, GH-9655,
                         GH-9884, GH-9992, PR-10003, PR-10016,
                         PR-10023, PR-10029, PR-10035, PR-10036,
                         PR-10039, PR-10048, PR-9843, PR-9887,
                         PR-9930, PR-9949
System:                  OTP
Release:                 27
Application:             asn1-5.3.4.2, compiler-8.6.1.1,
                         erts-15.2.7.1, kernel-10.2.7.2,
                         public_key-1.17.1.1, ssh-5.2.11.2,
                         ssl-11.2.12.2, stdlib-6.2.2.2
Predecessor:             OTP 27.3.4.1

Check out the git tag OTP-27.3.4.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

asn1-5.3.4.2

The asn1-5.3.4.2 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Decoding a constrained BIT STRING using JER was broken.

  Own Id: OTP-19681
  Related Id(s): PR-9949

Full runtime dependencies of asn1-5.3.4.2

erts-14.0, kernel-9.0, stdlib-5.0

compiler-8.6.1.1

The compiler-8.6.1.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Fixed a bug that could cause empty bitstring matches to always succeed, even when they should not.

  Own Id: OTP-19711
  Related Id(s): GH-10047, PR-10048

Full runtime dependencies of compiler-8.6.1.1

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

erts-15.2.7.1

The erts-15.2.7.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Fix windows uninstall command.

  Own Id: OTP-19683
  Related Id(s): GH-9884, GH-9992, PR-9887

Improvements and New Features

• The maximum amount of connections for epmd on Windows platforms has been increased from 64 to 1024.

  Own Id: OTP-19710
  Related Id(s): PR-10039

Full runtime dependencies of erts-15.2.7.1

kernel-9.0, sasl-3.3, stdlib-4.1

kernel-10.2.7.2

Note! The kernel-10.2.7.2 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.

   On a full OTP 27 installation, also the following runtime
   dependency has to be satisfied:
   -- erts-15.2.5 (first satisfied in OTP 27.3.2)

Fixed Bugs and Malfunctions

• socket:sendv/3 with 'nowait' sometimes return 'completion' without 'CompletionInfo' (Windows only).

  Own Id: OTP-19661

• socket:accept can return unexpected 'select_sent'.

  Own Id: OTP-19684
  Related Id(s): ERIERL-1242

• net_kernel could be blocked for a very long time when selecting distribution module for a connection if the DNS service was slow. This prevented any new connections to be set up during that time.

  Own Id: OTP-19702
  Related Id(s): ERIERL-1241, PR-10029

Improvements and New Features

• Improved documentation of CompletionStatus for asynchronous (nowait) socket operations.

  Own Id: OTP-19670
  Related Id(s): PR-9930

Full runtime dependencies of kernel-10.2.7.2

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0

public_key-1.17.1.1

The public_key-1.17.1.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Handle certificates that are signed with RSASSA-PSS but the PSS params are specified in the 'SignatureAlgorithm' of the signed cert and not in the signer's 'SubjectPublicKeyInfo'.

  Own Id: OTP-19699
  Related Id(s): GH-9632, PR-10023

Full runtime dependencies of public_key-1.17.1.1

asn1-5.0, crypto-5.0, erts-13.0, kernel-8.0, stdlib-4.0

ssh-5.2.11.2

The ssh-5.2.11.2 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Fix file handle id generation.

  Own Id: OTP-19691
  Related Id(s): PR-10003

• Fixes a badmatch error, when SFTP operation cannot be processed due to channel closed in parallel.

  Own Id: OTP-19707
  Related Id(s): GH-9655, PR-10035, PR-10036

Full runtime dependencies of ssh-5.2.11.2

crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.2.12.2

Note! The ssl-11.2.12.2 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.

   On a full OTP 27 installation, also the following runtime
   dependency has to be satisfied:
   -- public_key-1.16.4 (first satisfied in OTP 27.1.3)

Fixed Bugs and Malfunctions

• Improve error message for bad arguments to underlying connect.

  Own Id: OTP-19697
  Related Id(s): GH-10007, PR-10016

Improvements and New Features

• Allow the PSK identity to be the empty string in TLS-1.2 for compatibility reasons. It is allowed according to the spec although providing a proper value makes more sense.

  Own Id: OTP-19688
  Related Id(s): PR-9843

Full runtime dependencies of ssl-11.2.12.2

crypto-5.0, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.16.4, runtime_tools-1.15.1, stdlib-6.0

stdlib-6.2.2.2

The stdlib-6.2.2.2 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• A set of small bugs in sort stability for `lists:sort/1` and `lists:keysort/1` has been fixed. The bug happened for only some, seemingly random, element sequences. Most sorts were stable.

  Sort stability for `lists:sort/1` is only possible to observe when sorting lists with floating point and integer numbers of the same value.

  For `lists:keysort/1` the list had to start with two tuples where the keys or the whole tuples compared equal.

  Own Id: OTP-19673
  Related Id(s): ERIERL-1240

Full runtime dependencies of stdlib-6.2.2.2

compiler-5.0, crypto-4.5, erts-15.0, kernel-10.0, sasl-3.0

Thanks to

Dmytro Lytovchenko

GH-10007: #10007 GH-10047: #10047 GH-9632: #9632 GH-9655: #9655 GH-9884: #9884 GH-9992: #9992 PR-10003: #10003 PR-10016: #10016 PR-10023: #10023 PR-10029: #10029 PR-10035: #10035 PR-10036: #10036 PR-10039: #10039 PR-10048: #10048 PR-9843: #9843 PR-9887: #9887 PR-9930: #9930 PR-9949: #9949

Patch Package:           OTP 27.3.4.1
Git Tag:                 OTP-27.3.4.1
Date:                    2025-06-16
Trouble Report Id:       OTP-19634, OTP-19635, OTP-19637, OTP-19638,
                         OTP-19640, OTP-19646, OTP-19647, OTP-19649,
                         OTP-19653, OTP-19658, OTP-19659, OTP-19662,
                         OTP-19667, OTP-19676
Seq num:                 CVE-2025-4748, ERIERL-1225, ERIERL-1235,
                         GH-6463, GH-9102, GH-9722, GH-9771, GH-9816,
                         GH-9841, GH-9875, PR-9103, PR-9691, PR-9838,
                         PR-9846, PR-9849, PR-9859, PR-9876, PR-9896,
                         PR-9897, PR-9898, PR-9905, PR-9912, PR-9941
System:                  OTP
Release:                 27
Application:             asn1-5.3.4.1, eldap-1.2.14.1,
                         kernel-10.2.7.1, ssh-5.2.11.1, ssl-11.2.12.1,
                         stdlib-6.2.2.1, xmerl-2.1.3.1
Predecessor:             OTP 27.3.4

Check out the git tag OTP-27.3.4.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

OTP-27.3.4.1

Fixed Bugs and Malfunctions

• Disable warnings as error for ex_doc when any Erlang/OTP application has been disabled by configure.

  Own Id: OTP-19646
  Related Id(s): GH-9875, PR-9876

asn1-5.3.4.1

The asn1-5.3.4.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• The ASN.1 compiler could generate code that would cause Dialyzer with the unmatched_returns option to emit warnings.

  Own Id: OTP-19638
  Related Id(s): GH-9841, PR-9846

Full runtime dependencies of asn1-5.3.4.1

erts-14.0, kernel-9.0, stdlib-5.0

eldap-1.2.14.1

The eldap-1.2.14.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• With this change eldap's 'not' function will have specs fixed.

  Own Id: OTP-19658
  Related Id(s): PR-9859

Full runtime dependencies of eldap-1.2.14.1

asn1-3.0, erts-6.0, kernel-3.0, ssl-5.3.4, stdlib-3.4

kernel-10.2.7.1

Note! The kernel-10.2.7.1 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.

   On a full OTP 27 installation, also the following runtime
   dependency has to be satisfied:
   -- erts-15.2.5 (first satisfied in OTP 27.3.2)

Fixed Bugs and Malfunctions

• A remote shell can now exit by closing the input stream, without terminating the remote node.

  Own Id: OTP-19667
  Related Id(s): PR-9912

Improvements and New Features

• Document default buffer sizes

  Own Id: OTP-19640
  Related Id(s): GH-9722

Full runtime dependencies of kernel-10.2.7.1

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0

ssh-5.2.11.1

The ssh-5.2.11.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Various channel closing robustness improvements. Avoid crashes when channel handling process closes channel and immediately exits. Avoid breaking the protocol by sending duplicated channel-close messages. Cleanup channels which timeout during closing procedure.

  Own Id: OTP-19634
  Related Id(s): GH-9102, PR-9103

• Improved interoperability with clients acting as Paramiko.

  Own Id: OTP-19637
  Related Id(s): GH-6463, PR-9838

Full runtime dependencies of ssh-5.2.11.1

crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.2.12.1

Note! The ssl-11.2.12.1 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.

   On a full OTP 27 installation, also the following runtime
   dependency has to be satisfied:
   -- public_key-1.16.4 (first satisfied in OTP 27.1.3)

Fixed Bugs and Malfunctions

• hs_keylog callback properly handle alert in initial states, where encryption is not yet used. Also add keylog callback invocation for corner-case where server alert is encrypted with application secrets as client is already in connection state.

  Own Id: OTP-19635
  Related Id(s): ERIERL-1235, PR-9849

Improvements and New Features

• The documentation for SSL option verify_fun has been improved.

  Own Id: OTP-19676
  Related Id(s): PR-9691

Full runtime dependencies of ssl-11.2.12.1

crypto-5.0, erts-15.0, inets-5.10.7, kernel-9.0, public_key-1.16.4, runtime_tools-1.15.1, stdlib-6.0

stdlib-6.2.2.1

The stdlib-6.2.2.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• The save_module/1 command in the shell now saves both the locally defined records and the imported records using the rr/1 command.

  Own Id: OTP-19647
  Related Id(s): GH-9816, PR-9897

• It's now possible to write lists:map(fun is_atom/1, []) or lists:map(fun my_func/1, []), in the shell, instead of lists:map(fun erlang:is_atom/1, []) or lists:map(fun shell_default:my_func/1, []).

  Own Id: OTP-19649
  Related Id(s): GH-9771, PR-9898

• Properly strip the leading / and drive letter from filepaths when zipping and unzipping archives.

  Thanks to Wander Nauta for finding and responsibly disclosing this vulnerability to the Erlang/OTP project.

  Own Id: OTP-19653
  Related Id(s): PR-9941, CVE-2025-4748

• Shell no longer crashes when requesting to autocomplete map keys containing non-atoms.

  Own Id: OTP-19659
  Related Id(s): PR-9896

• A remote shell can now exit by closing the input stream, without terminating the remote node.

  Own Id: OTP-19667
  Related Id(s): PR-9912

Full runtime dependencies of stdlib-6.2.2.1

compiler-5.0, crypto-4.5, erts-15.0, kernel-10.0, sasl-3.0

xmerl-2.1.3.1

The xmerl-2.1.3.1 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• The type specs of xmerl_scan:file/2 and xmerl_scan:string/2 has been updated to return dynamic/0. Due to hook functions they can return any user defined term.

  Own Id: OTP-19662
  Related Id(s): ERIERL-1225, PR-9905

Full runtime dependencies of xmerl-2.1.3.1

erts-6.0, kernel-8.4, stdlib-2.5

Thanks to

Dan Janowski, Ilya Averyanov, Yaroslav Maslennikov

Patch Package:           OTP 28.0.1
Git Tag:                 OTP-28.0.1
Date:                    2025-06-16
Trouble Report Id:       OTP-19634, OTP-19635, OTP-19637, OTP-19638,
                         OTP-19641, OTP-19644, OTP-19645, OTP-19650,
                         OTP-19653, OTP-19658, OTP-19662, OTP-19665,
                         OTP-19675, OTP-19676
Seq num:                 CVE-2025-4748, ERIERL-1225, ERIERL-1235,
                         GH-6463, GH-9102, GH-9841, GH-9858, GH-9863,
                         GH-9872, PR-9103, PR-9691, PR-9838, PR-9846,
                         PR-9849, PR-9859, PR-9861, PR-9870, PR-9878,
                         PR-9880, PR-9892, PR-9905, PR-9926, PR-9941
System:                  OTP
Release:                 28
Application:             asn1-5.4.1, debugger-6.0.1, eldap-1.2.16,
                         erts-16.0.1, kernel-10.3.1,
                         public_key-1.18.1, ssh-5.3.1, ssl-11.3.1,
                         stdlib-7.0.1, xmerl-2.1.5
Predecessor:             OTP 28.0

Check out the git tag OTP-28.0.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

asn1-5.4.1

The asn1-5.4.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• The ASN.1 compiler could generate code that would cause Dialyzer with the unmatched_returns option to emit warnings.

  Own Id: OTP-19638 Related Id(s): GH-9841, PR-9846

Full runtime dependencies of asn1-5.4.1

erts-14.0, kernel-9.0, stdlib-5.0

debugger-6.0.1

The debugger-6.0.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Restore deleted icon so that debugger does not crash on startup.

  Own Id: OTP-19641 Related Id(s): GH-9858, PR-9861

Full runtime dependencies of debugger-6.0.1

compiler-8.0, erts-15.0, kernel-10.0, stdlib-7.0, wx-2.0

eldap-1.2.16

The eldap-1.2.16 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• With this change eldap's 'not' function will have specs fixed.

  Own Id: OTP-19658 Related Id(s): PR-9859

Full runtime dependencies of eldap-1.2.16

asn1-3.0, erts-6.0, kernel-3.0, ssl-5.3.4, stdlib-3.4

erts-16.0.1

The erts-16.0.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fix Erlang to not crash when io:standard_error/0 is a terminal but io:standard_io/0 is not. This bug has existed since Erlang/OTP 28.0 and only effects Windows.

  Own Id: OTP-19650 Related Id(s): GH-9872, PR-9878

• In a debug build, the BIFs for the native debugger could cause a lock order violation diagnostic from the lock checker.

  Own Id: OTP-19665 Related Id(s): PR-9926

• When building ERTS make sure correct pcre2.h file is included even if CFLAGS contains extra include paths.

  Own Id: OTP-19675 Related Id(s): PR-9892

Full runtime dependencies of erts-16.0.1

kernel-9.0, sasl-3.3, stdlib-4.1

kernel-10.3.1

The kernel-10.3.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fix bug where calling io:setopts/1 in a shell without the line_history option would always disable line_history. This bug was introduced in Erlang/OTP 28.0.

  Own Id: OTP-19645 Related Id(s): GH-9863, PR-9870

Full runtime dependencies of kernel-10.3.1

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0

public_key-1.18.1

The public_key-1.18.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Add back some ASN-1 macros and definitions that should be included in API.

  Own Id: OTP-19644 Related Id(s): PR-9880

Full runtime dependencies of public_key-1.18.1

asn1-5.0, crypto-5.0, erts-13.0, kernel-8.0, stdlib-4.0

ssh-5.3.1

The ssh-5.3.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Various channel closing robustness improvements. Avoid crashes when channel handling process closes channel and immediately exits. Avoid breaking the protocol by sending duplicated channel-close messages. Cleanup channels which timeout during closing procedure.

  Own Id: OTP-19634 Related Id(s): GH-9102, PR-9103

• Improved interoperability with clients acting as Paramiko.

  Own Id: OTP-19637 Related Id(s): GH-6463, PR-9838

Full runtime dependencies of ssh-5.3.1

crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.3.1

The ssl-11.3.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• hs_keylog callback properly handle alert in initial states, where encryption is not yet used. Also add keylog callback invocation for corner-case where server alert is encrypted with application secrets as client is already in connection state.

  Own Id: OTP-19635 Related Id(s): ERIERL-1235, PR-9849

Improvements and New Features

• The documentation for SSL option verify_fun has been improved.

  Own Id: OTP-19676 Related Id(s): PR-9691

Full runtime dependencies of ssl-11.3.1

crypto-5.6, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.16.4, runtime_tools-1.15.1, stdlib-7.0

stdlib-7.0.1

The stdlib-7.0.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Properly strip the leading / and drive letter from filepaths when zipping and unzipping archives.

  Thanks to Wander Nauta for finding and responsibly disclosing this vulnerability to the Erlang/OTP project.

  Own Id: OTP-19653 Related Id(s): PR-9941, CVE-2025-4748

Full runtime dependencies of stdlib-7.0.1

compiler-5.0, crypto-4.5, erts-16.0, kernel-10.0, sasl-3.0, syntax_tools-3.2.1

xmerl-2.1.5

The xmerl-2.1.5 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• The type specs of xmerl_scan:file/2 and xmerl_scan:string/2 has been updated to return dynamic/0. Due to hook functions they can return any user defined term.

  Own Id: OTP-19662 Related Id(s): ERIERL-1225, PR-9905

Full runtime dependencies of xmerl-2.1.5

erts-6.0, kernel-8.4, stdlib-2.5

Thanks to

Dan Janowski, Ilya Averyanov, Mikael Pettersson, Yaroslav Maslennikov

OTP 28.0

Erlang/OTP 28 is a new major release with new features, improvements as well as a few incompatibilities. Some of the new features are highlighted below.

Many thanks to all contributors!

Starting with this release, a source Software Bill of Materials (SBOM) will describe the release on the Github Releases page. We welcome feedback on the SBOM.

New language features

• Functionality making it possible for processes to enable reception of priority messages has been introduced in accordance with EEP 76.

• Comprehensions have been extended with "zip generators" allowing multiple generators to be run in parallel. For example, [A+B || A <- [1,2,3] && B <- [4,5,6]] will produce [5,7,9].

• Generators in comprehensions can now be strict, meaning that if the generator pattern does not match, an exception will be raised instead of silently ignore the value that didn't match.

• It is now possible to use any base for floating point numbers as per EEP 75: Based Floating Point Literals.

Compiler and JIT improvements

• For certain types of errors, the compiler can now suggest corrections. For example, when attempting to use variable A that is not defined but A0 is, the compiler could emit the following message: variable 'A' is unbound, did you mean 'A0'?

• The size of an atom in the Erlang source code was limited to 255 bytes in previous releases, meaning that an atom containing only emojis could contain only 63 emojis. While atoms are still only allowed to contain 255 characters, the number of bytes is no longer limited.

• The warn_deprecated_catch option enables warnings for use of old-style catch expressions on the form catch Expr instead of the modern try ... catch ... end.

• Provided that the map argument for a maps:put/3 call is known to the compiler to be a map, the compiler will replace such calls with the corresponding update using the map syntax.

• Some BIFs with side-effects (such as binary_to_atom/1) are optimized in try ... catch in the same way as guard BIFs in order to gain performance.

• The compiler’s alias analysis pass is now both faster and less conservative, allowing optimizations of records and binary construction to be applied in more cases.

ERTS

• The trace:system/3 function has been added. It has a similar interface as erlang:system_monitor/2 but it also supports trace sessions.

• os:set_signal/2 now supports setting handlers for the SIGWINCH, SIGCONT, and SIGINFO signals.

• The two new BIFs erlang:processes_iterator/0 and erlang:process_next/1 make it possible to iterate over the process table in a way that scales better than erlang:processes/0.

Shell and terminal

• The erl -noshell mode has been updated to have two sub modes called raw and cooked, where cooked is the old default behaviour and raw can be used to bypass the line-editing support of the native terminal. Using raw mode it is possible to read keystrokes as they occur without the user having to press Enter. Also, the raw mode does not echo the typed characters to stdout.

• The shell now prints a help message explaining how to interrupt a running command when stuck executing a command for longer than 5 seconds.

STDLIB

• The join(Binaries, Separator) function that joins a list of binaries has been added to the binary module.

• By default, sets created by module sets will now be represented as maps.

• Module re has been updated to use the newer PCRE2 library instead of the PCRE library.

• There is a new zstd module that does Zstandard compression.

Public_key

• The ancient ASN.1 modules used in public_key has been replaced with more modern versions, but we have strived to keep the documented Erlang API for the public_key application compatible.

Dialyzer

• EEP 69: Nominal Types has been implemented.

SSL

• The data handling for tls-v1.3 has been optimized.

Emacs mode (in the Tools application)

• The indent-region in Emacs command will now handle multiline strings better.

For more details about new features and potential incompatibilities see the README.

Patch Package:           OTP 27.3.4
Git Tag:                 OTP-27.3.4
Date:                    2025-05-08
Trouble Report Id:       OTP-19577, OTP-19599, OTP-19602, OTP-19605,
                         OTP-19608, OTP-19625
Seq num:                 CVE-2025-46712, ERIERL-1220, GH-9707,
                         GH-9720, PR-9696, PR-9724, PR-9753, PR-9765,
                         PR-9767
System:                  OTP
Release:                 27
Application:             erts-15.2.7, kernel-10.2.7, ssh-5.2.11,
                         xmerl-2.1.3
Predecessor:             OTP 27.3.3

Check out the git tag OTP-27.3.4, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

erts-15.2.7

The erts-15.2.7 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Fixed an emulator crash when setting an error_handler module that was not yet loaded.

  Own Id: OTP-19577
  Related Id(s): ERIERL-1220, PR-9696

• Fixed a rare bug that could cause an emulator crash after unloading a module or erasing a persistent_term.

  Own Id: OTP-19599
  Related Id(s): PR-9724

Full runtime dependencies of erts-15.2.7

kernel-9.0, sasl-3.3, stdlib-4.1

kernel-10.2.7

Note! The kernel-10.2.7 application cannot be applied independently of other applications on an arbitrary OTP 27 installation.

   On a full OTP 27 installation, also the following runtime
   dependency has to be satisfied:
   -- erts-15.2.5 (first satisfied in OTP 27.3.2)

Fixed Bugs and Malfunctions

• With this change, disk_log will not crash when using chunk_step/3 after log size was decreased.

  Own Id: OTP-19605
  Related Id(s): GH-9720, PR-9765

• With this change, disk_log will not run into infinite loop when using chunk/2,3 after log size was decreased.

  Own Id: OTP-19608
  Related Id(s): GH-9707, PR-9767

Full runtime dependencies of kernel-10.2.7

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0

ssh-5.2.11

The ssh-5.2.11 application can be applied independently of other applications on a full OTP 27 installation.

Fixed Bugs and Malfunctions

• Fix KEX strict implementation according to draft-miller-sshm-strict-kex-01 document.

  Own Id: OTP-19625
  Related Id(s): CVE-2025-46712

Full runtime dependencies of ssh-5.2.11

crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

xmerl-2.1.3

The xmerl-2.1.3 application can be applied independently of other applications on a full OTP 27 installation.

Improvements and New Features

• A new option to discard whitespace before the xml tag when reading from a stream has been added to the Xmerl SAX parser.

  • {discard_ws_before_xml_document, Boolean} - Discard whitespace before xml tag instead of returning a fatal error if set to true (false is default)

  Own Id: OTP-19602
  Related Id(s): PR-9753

Full runtime dependencies of xmerl-2.1.3

erts-6.0, kernel-8.4, stdlib-2.5

Thanks to

Lý Nhật Tâm