Patch Package: OTP 26.2.5.15
Git Tag: OTP-26.2.5.15
Date: 2025-09-10
Trouble Report Id: OTP-19701, OTP-19729, OTP-19741, OTP-19742,
OTP-19748, OTP-19760
Seq num: CVE-2025-48038, CVE-2025-48039,
CVE-2025-48040, CVE-2025-48041, GH-10065,
GH-3392, PR-10120, PR-10155, PR-10156,
PR-10157, PR-10162, PR-6223
System: OTP
Release: 26
Application: inets-9.1.0.3, ssh-5.1.4.12
Predecessor: OTP 26.2.5.14
Check out the git tag OTP-26.2.5.15, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- POTENTIAL INCOMPATIBILITIES -------------------------------------
---------------------------------------------------------------------
OTP-19701 Application(s): ssh
Related Id(s): PR-10157, CVE-2025-48041
Option max_handles can be configured for sshd running
SFTP. The positive integer value limits amount of file
handles opened for a connection (by default 4096 is
used).
OTP-19741 Application(s): ssh
Related Id(s): PR-10162, CVE-2025-48040
Avoid decoding KEX messages providing too many
algorithms. This change does not introduce new
limitation but assures it is enforced earlier in
processing chain. Adjustments in error logging during
handshake.
OTP-19742 Application(s): ssh
Related Id(s): PR-10155, CVE-2025-48039
A new 'max_path' option is now available in the sshd
configuration, allowing administrators to set the
maximum allowable path length. By default, this value
is set to 4096 characters.
OTP-19748 Application(s): ssh
Related Id(s): PR-10156, CVE-2025-48038
Reject file handles exceeding size specified in RFCs
(256 bytes).
---------------------------------------------------------------------
--- inets-9.1.0.3 ---------------------------------------------------
---------------------------------------------------------------------
The inets-9.1.0.3 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19729 Application(s): inets
Related Id(s): GH-3392, PR-6223
Fixed a bug where a request sent to httpd server which
is using CGI script to generate a response, would
pollute server's environment variable - HTTP_PROXY for
that request. This bug is also known as httpoxy. More
information: CVE-2016-1000107
OTP-19760 Application(s): inets
Related Id(s): GH-10065, PR-10120
Fixed a RFC 2616 violation, where a http request, made
by httpc, without providing any options, would be sent
with an empty TE header, without also having a TE value
in the connection header. Now the default request
doesn't send a TE header at all.
Full runtime dependencies of inets-9.1.0.3: erts-14.0, kernel-9.0,
mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0,
stdlib-5.0, stdlib-5.0
---------------------------------------------------------------------
--- ssh-5.1.4.12 ----------------------------------------------------
---------------------------------------------------------------------
The ssh-5.1.4.12 application can be applied independently of other
applications on a full OTP 26 installation.
--- Fixed Bugs and Malfunctions ---
OTP-19701 Application(s): ssh
Related Id(s): PR-10157, CVE-2025-48041
*** POTENTIAL INCOMPATIBILITY ***
Option max_handles can be configured for sshd running
SFTP. The positive integer value limits amount of file
handles opened for a connection (by default 4096 is
used).
OTP-19741 Application(s): ssh
Related Id(s): PR-10162, CVE-2025-48040
*** POTENTIAL INCOMPATIBILITY ***
Avoid decoding KEX messages providing too many
algorithms. This change does not introduce new
limitation but assures it is enforced earlier in
processing chain. Adjustments in error logging during
handshake.
OTP-19742 Application(s): ssh
Related Id(s): PR-10155, CVE-2025-48039
*** POTENTIAL INCOMPATIBILITY ***
A new 'max_path' option is now available in the sshd
configuration, allowing administrators to set the
maximum allowable path length. By default, this value
is set to 4096 characters.
OTP-19748 Application(s): ssh
Related Id(s): PR-10156, CVE-2025-48038
*** POTENTIAL INCOMPATIBILITY ***
Reject file handles exceeding size specified in RFCs
(256 bytes).
Full runtime dependencies of ssh-5.1.4.12: crypto-5.0, erts-14.0,
kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0,
stdlib-5.0
---------------------------------------------------------------------
--- Thanks to -------------------------------------------------------
---------------------------------------------------------------------
Marcel Lanz, Savvas Nicholas
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
erlang/otp
OTP-26.2.5.15
OTP 26.2.5.15
on GitHub
6 hours ago