Erlang/OTP 23.1 is the first maintenance patch release for OTP 23, with mostly bug fixes as well as a few improvements.
Vulnerability fix
A vulnerability in the httpd module (inets application) regarding directory traversal that was introduced in OTP 22.3.1 and corrected in OTP 22.3.4.6. It was also introduced in OTP 23.0 and corrected in OTP 23.1 The vulnerability is registered as CVE-2020-25623.
The vulnerability is only exposed if the http server (httpd) in the inets application is used. The vulnerability makes it possible to read arbitrary files which the Erlang system has read access to with for example a specially prepared http request.
General build issues
- Adjust /bin/sh to /system/bin/sh in scripts when installing on Android.
- Changes in build system to make it build for macOS 11.0 with Apple Silicon. Also corrected execution of match specs to work on Apple Silicon.
A full list of bug fixes and improvements in the readme.
Download and documentation
Online documentation can be browsed here:
http://erlang.org/documentation/doc-11.1/doc
Pre-built versions for Windows can be fetched here:
http://erlang.org/download/otp_win32_23.1.exe
http://erlang.org/download/otp_win64_23.1.exe
The Erlang/OTP source can also be found at GitHub on the official Erlang repository:
https://github.com/erlang/otp