erlang/otp OTP-25.3.2.19

OTP 25.3.2.19

on GitHub

Patch Package:           OTP 25.3.2.19
Git Tag:                 OTP-25.3.2.19
Date:                    2025-03-28
Trouble Report Id:       OTP-19501, OTP-19527, OTP-19543, OTP-19545,
                         OTP-19559
Seq num:                 CVE-2025-30211, ERIERL-1195, GH-9554,
                         OTP-19544, PR-9499, PR-9545, PR-9577, PR-9587
System:                  OTP
Release:                 25
Application:             erts-13.2.2.15, kernel-8.5.4.5,
                         mnesia-4.21.4.4, ssh-4.15.3.11
Predecessor:             OTP 25.3.2.18

 Check out the git tag OTP-25.3.2.19, and build a full OTP system
 including documentation. Apply one or more applications from this
 build as patches to your installation using the 'otp_patch_apply'
 tool. For information on install requirements, see descriptions for
 each application version below.

 ---------------------------------------------------------------------
 --- erts-13.2.2.15 --------------------------------------------------
 ---------------------------------------------------------------------

 Note! The erts-13.2.2.15 application *cannot* be applied
       independently of other applications on an arbitrary OTP 25
       installation.

       On a full OTP 25 installation, also the following runtime
       dependencies have to be satisfied:
       -- kernel-8.5 (first satisfied in OTP 25.1)
       -- stdlib-4.1 (first satisfied in OTP 25.1)


 --- Fixed Bugs and Malfunctions ---

  OTP-19527    Application(s): erts
               Related Id(s): PR-9577

               Trace messages due to receive tracing could potentially
               be delayed a very long time if the traced process
               waited in a receive expression without clauses matching
               on messages (timed wait), or just did not enter a
               receive expression for a very long time.


 Full runtime dependencies of erts-13.2.2.15: kernel-8.5, sasl-3.3,
 stdlib-4.1


 ---------------------------------------------------------------------
 --- kernel-8.5.4.5 --------------------------------------------------
 ---------------------------------------------------------------------

 Note! The kernel-8.5.4.5 application *cannot* be applied
       independently of other applications on an arbitrary OTP 25
       installation.

       On a full OTP 25 installation, also the following runtime
       dependencies have to be satisfied:
       -- erts-13.1.3 (first satisfied in OTP 25.2)
       -- stdlib-4.1.1 (first satisfied in OTP 25.1.1)


 --- Fixed Bugs and Malfunctions ---

  OTP-19545    Application(s): kernel
               Related Id(s): PR-9587, OTP-19544

               An infinite loop in CNAME loop detection that can cause
               Out Of Memory has been fixed. This affected CNAME
               lookup with the internal DNS resolver.


 Full runtime dependencies of kernel-8.5.4.5: crypto-5.0, erts-13.1.3,
 sasl-3.0, stdlib-4.1.1


 ---------------------------------------------------------------------
 --- mnesia-4.21.4.4 -------------------------------------------------
 ---------------------------------------------------------------------

 The mnesia-4.21.4.4 application can be applied independently of other
 applications on a full OTP 25 installation.

 --- Fixed Bugs and Malfunctions ---

  OTP-19501    Application(s): mnesia
               Related Id(s): ERIERL-1195, PR-9499

               Mnesia could fail to load a table, if one of the copy
               holders was moved during startup.


 Full runtime dependencies of mnesia-4.21.4.4: erts-9.0, kernel-5.3,
 stdlib-3.4


 ---------------------------------------------------------------------
 --- ssh-4.15.3.11 ---------------------------------------------------
 ---------------------------------------------------------------------

 The ssh-4.15.3.11 application can be applied independently of other
 applications on a full OTP 25 installation.

 --- Fixed Bugs and Malfunctions ---

  OTP-19543    Application(s): ssh
               Related Id(s): CVE-2025-30211

               Reception of malicious KEX init message does not result
               with ssh daemon excessive memory usage.


  OTP-19559    Application(s): ssh
               Related Id(s): GH-9554, PR-9545

               Call to ssh:daemon_replace_options does not crash when
               argument is not a valid daemon ref.


 Full runtime dependencies of ssh-4.15.3.11: crypto-5.0, erts-11.0,
 kernel-6.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-3.15


 ---------------------------------------------------------------------
 --- Thanks to -------------------------------------------------------
 ---------------------------------------------------------------------

 Alexandre Rodrigues, Sergei Shuvatov


 ---------------------------------------------------------------------
 ---------------------------------------------------------------------
 ---------------------------------------------------------------------