Erlang/OTP 23.1

OTP-16790

Application(s):

inets

Related Id(s):

ERIERL-522

A vulnerability in the httpd module (inets application) regarding directory traversal that was introduced in OTP 22.3.1 and corrected in OTP 22.3.4.6. It was also introduced in OTP 23.0 and corrected in OTP 23.1 The vulnerability is registered as CVE-2020-25623

The vulnerability is only exposed if the http server (httpd) in the inets application is used. The vulnerability makes it possible to read arbitrary files which the Erlang system has read access to with for example a specially prepared http request.

OTP-16833

Application(s):

erts, otp

Related Id(s):

PR-2729

Adjust /bin/sh to /system/bin/sh in scripts when installing on Android.

OTP-16779

Application(s):

otp

Related Id(s):

ERL-1305 , PR-2700

Changes in build system to make it build for macOS 11.0 with Apple Silicon. Also corrected execution of match specs to work on Apple Silicon.

The asn1-5.0.14 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16707

Application(s):

asn1, erl_interface, erts, odbc

Related Id(s):

PR-2638

Changes in order to build on the Haiku operating system.

Thanks to Calvin Buckley

Full runtime dependencies of asn1-5.0.14: erts-7.0, kernel-3.0, stdlib-2.0

The compiler-7.6.3 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16701

Application(s):

compiler

Related Id(s):

ERL-1271

If the update of a map with the 'Map#{Key := Value}' syntax failed, the line number in the stack backtrace could be incorrect.

OTP-16755

Application(s):

compiler

Related Id(s):

ERL-1297

Fixed a performance bug that slowed down compilation of modules with deeply nested terms.

OTP-16820

Application(s):

compiler

The compiler could in rare circumstances do an an unsafe optimization that would result in a matching of a nested map pattern would fail to match.

OTP-16838

Application(s):

compiler

Related Id(s):

ERL-1340

Fixed a bug in the validator that caused it to reject valid code.

Full runtime dependencies of compiler-7.6.3: crypto-3.6, erts-11.0, hipe-3.12, kernel-7.0, stdlib-3.13

The crypto-4.8 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16658

Application(s):

crypto

Related Id(s):

ERL-1257 , OTP-15884

Fix type spec bug in crypto for crypto_init and crypto:one_time

OTP-16846

Application(s):

crypto

Related Id(s):

PR-2741

The deprecation message for crypto:rand_uniform/2 indicated a non-existent function. The correct one (rand:uniform/1) is now suggested.

OTP-16771

Application(s):

crypto

Related Id(s):

ERIERL-509

Implemented a workaround to allow fallback from using the EVP API for Diffie-Hellman key generation

OTP-16774

Application(s):

crypto, ssh

The internal Diffie-Hellman high level API for key generation was slow in old and by OpenSSL now unsupported cryptolib versions (1.0.1 and earlier).

If such a cryptolib is used anyhow, the low-level API is used internally in the crypto application.

Full runtime dependencies of crypto-4.8: erts-9.0, kernel-5.3, stdlib-3.4

The dialyzer-4.2.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16813

Application(s):

dialyzer

Related Id(s):

ERL-1307

In rare circumstance, dialyzer wold crash when analyzing a list comprehension.

Full runtime dependencies of dialyzer-4.2.1: compiler-7.0, erts-9.0, hipe-3.16.1, kernel-5.3, stdlib-3.4, syntax_tools-2.0, wx-1.2

The erl_docgen-1.0.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16661

Application(s):

erl_docgen

Related Id(s):

ERL-1259

Repaired lost function "since" versions in the right margin of the module reference HTML documentation.

OTP-16675

Application(s):

erl_docgen

Remove erlang compilation warnings and trailing whitespaces.

Full runtime dependencies of erl_docgen-1.0.1: edoc-0.7.13, erts-9.0, stdlib-3.4, xmerl-1.3.7

The erl_interface-4.0.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16740

Application(s):

erl_interface

Fix erl_interface on windows to be compiled with correct flags to make internal primitives reentrant.

OTP-16753

Application(s):

erl_interface

Related Id(s):

ERL-1288 , PR-2678

Fixed ei_get_type to set *size to zero for floats, pids, port and refs according to documentation.

OTP-16786

Application(s):

erl_interface

Fix ei_connect when using a dynamic node name to force usage of distribution version 6.

This bug caused erl_call -R -address to not work properly.

OTP-16707

Application(s):

asn1, erl_interface, erts, odbc

Related Id(s):

PR-2638

Changes in order to build on the Haiku operating system.

Thanks to Calvin Buckley

OTP-16607

Application(s):

erl_interface

Related Id(s):

OTP-16608

The ei API for decoding/encoding terms is not fully 64-bit compatible since terms that have a representation on the external term format larger than 2 GB cannot be handled.

The erts-11.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16625

Application(s):

erts

Related Id(s):

PR-2609

Update the documentation of the abstract format to use ANNO instead of LINE.

OTP-16710

Application(s):

erts

Related Id(s):

ERL-1280

The emulator will no longer revert to the default number of schedulers when running under a CPU quota lower than 1 CPU.

OTP-16713

Application(s):

erts

Fixed a problem with crash dumps. When a process that contained reference to literals internally created by the runtime system (such as the tuple returned by os:type/0), the literal would not be included in the crash dump and the crashdump viewer would complain about the heap being incomplete.

OTP-16738

Application(s):

erts

Fix configure detection of PGO for clang.

OTP-16741

Application(s):

erts

The to_erl program has been fixed to correctly interpret newline as only newline and not newline+return.

This bug would cause the terminal to behave strangely when using lines longer than the terminal size.

OTP-16770

Application(s):

erts

A race condition when changing process priority by calling process_flag(priority, Prio) could cause elevation of priority for a system task to be ignored. This bug hit if the system task was scheduled on the process calling process_flag() at the same time as the priority was changed. The bug is quite harmless and should hit very seldom if ever.

OTP-16833

Application(s):

erts, otp

Related Id(s):

PR-2729

Adjust /bin/sh to /system/bin/sh in scripts when installing on Android.

OTP-16850

Application(s):

erts

Related Id(s):

ERL-1344

In rare circumstances, when loading a BEAM file generated by an alternative code generator (not the Erlang compiler in OTP) or from handwritten or patched BEAM code, the loader could do an unsafe optimization.

OTP-16857

Application(s):

erts

A memory and file descriptor leak in socket has been fixed. (When a newly opened socket that had not entered the fd into the VM's poll set (neither received, sent, accepted nor connected) was abandoned without closing (process died), after assigning a different controlling process, then a memory block and the file descriptor could be leaked.)

OTP-16866

Application(s):

erts

Related Id(s):

ERL-1355

The documentation of statistics(run_queue) erroneously stated that it returns the total length of all normal run queues when it is the total length of all normal and dirty CPU run queues that is returned. The documentation has been updated to reflect the actual behavior.

OTP-16707

Application(s):

asn1, erl_interface, erts, odbc

Related Id(s):

PR-2638

Changes in order to build on the Haiku operating system.

Thanks to Calvin Buckley

OTP-16715

Application(s):

erts

When building the inet driver on Windows, there where many compiler warnings regarding type casting (used when calling the debug macro). This has now been resolved.

OTP-16763

Application(s):

erts, kernel

Make (use of) the socket registry optional (still enabled by default). Its now possible to build OTP with the socket registry turned off, turn it off by setting an environment variable and controlling in runtime (via function calls and arguments when creating sockets).

OTP-16821

Application(s):

erts

Related Id(s):

PR-2733

Change default filename encoding on android to UTF-8.

OTP-16848

Application(s):

erts

Related Id(s):

PR-2737

Clarification of the format of the atom cache header used by the distribution.

Full runtime dependencies of erts-11.1: kernel-7.0, sasl-3.3, stdlib-3.13

The eunit-2.6 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16674

Application(s):

eunit

Fixed compiler warning.

Full runtime dependencies of eunit-2.6: erts-9.0, kernel-5.3, stdlib-3.4

The ftp-1.0.5 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16734

Application(s):

ftp

Related Id(s):

ERIERL-496 , OTP-16697

Avoid timing issue when setting active once on a socket that is being closed by the peer.

Full runtime dependencies of ftp-1.0.5: erts-7.0, kernel-6.0, stdlib-3.5

The hipe-4.0.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16737

Application(s):

hipe

Fixed a warning issued when building the hipe application.

Full runtime dependencies of hipe-4.0.1: compiler-5.0, erts-9.3, kernel-5.3, stdlib-3.4, syntax_tools-1.6.14

The inets-7.3 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16650

Application(s):

inets

Related Id(s):

ERL-1215 , PR-2629

Clarify the handling of percent encoded characters in http client.

OTP-16663

Application(s):

inets

Related Id(s):

ERL-1241

fix crash for undefined port in uri.

OTP-16735

Application(s):

inets

Related Id(s):

ERIERL-496 , OTP-16697

Avoid timing issue when setting active once on a socket that is being closed by the peer.

OTP-16746

Application(s):

inets

Related Id(s):

ERL-1268

Handle message body of response with 1XX status code as next http message.

OTP-16775

Application(s):

inets

Related Id(s):

ERIERL-519

Fix a crash in http server when setopts is called on a socket closed by the peer.

OTP-16790

Application(s):

inets

Related Id(s):

ERIERL-522

*** HIGHLIGHT ***

A vulnerability in the httpd module (inets application) regarding directory traversal that was introduced in OTP 22.3.1 and corrected in OTP 22.3.4.6. It was also introduced in OTP 23.0 and corrected in OTP 23.1 The vulnerability is registered as CVE-2020-25623

The vulnerability is only exposed if the http server (httpd) in the inets application is used. The vulnerability makes it possible to read arbitrary files which the Erlang system has read access to with for example a specially prepared http request.

OTP-16591

Application(s):

inets

Related Id(s):

ERIERL-484

Add support of PATCH method in mod_esi.

Full runtime dependencies of inets-7.3: erts-6.0, kernel-3.0, mnesia-4.12, runtime_tools-1.8.14, ssl-5.3.4, stdlib-3.5

The kernel-7.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-15187

Application(s):

kernel

Related Id(s):

ERL-1293

A fallback has been implemented for file:sendfile when using inet_backend socket

OTP-16694

Application(s):

kernel

Related Id(s):

PR-2625

Make default TCP distribution honour option backlog in inet_dist_listen_options.

OTP-16743

Application(s):

kernel

Related Id(s):

ERL-1287

Raw option handling for the experimental gen_tcp_socket backend was broken so that all raw options were ignored by for example gen_tcp:listen/2, a bug that now has been fixed. Reported by Jan Uhlig.

OTP-16748

Application(s):

kernel

Related Id(s):

ERL-1284

Accept fails with inet-backend socket.

OTP-16754

Application(s):

kernel

Fixed various minor errors in the socket backend of gen_tcp.

OTP-16768

Application(s):

kernel

Related Id(s):

ERL-1312

Correct disk_log:truncate/1 to count the header. Also correct the documentation to state that disk_log:truncate/1 can be used with external disk logs.

OTP-16783

Application(s):

kernel

Fix erl_epmd:port_please/2,3 type specs to include all possible error values.

OTP-16785

Application(s):

kernel

Fix erl -erl_epmd_port to work properly. Before this fix it did not work at all.

OTP-16823

Application(s):

kernel

Related Id(s):

PR-2722

Fix typespec for internal function erlang:seq_trace_info/1 to allow term() as returned label. This in turn fixes so that calls to seq_trace:get_token/1 can be correctly analyzer by dialyzer.

OTP-16832

Application(s):

kernel

Related Id(s):

PR-2738

Fix erroneous double registration of processes in pg when distribution is dynamically started.

OTP-16763

Application(s):

erts, kernel

Make (use of) the socket registry optional (still enabled by default). Its now possible to build OTP with the socket registry turned off, turn it off by setting an environment variable and controlling in runtime (via function calls and arguments when creating sockets).

OTP-16784

Application(s):

kernel

erl -remsh nodename no longer requires the hostname to be given when used together with dynamic nodenames.

Full runtime dependencies of kernel-7.1: erts-11.0, sasl-3.0, stdlib-3.13

The megaco-3.19.3 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16836

Application(s):

megaco

The expected number of warnings when (yecc) generating v2 and v3 (text) parser's was incorrect.

Full runtime dependencies of megaco-3.19.3: asn1-3.0, debugger-4.0, erts-7.0, et-1.5, kernel-3.0, runtime_tools-1.8.14, stdlib-2.5

The mnesia-4.18 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16782

Application(s):

mnesia

Related Id(s):

PR-2663

FIx mnesia delete object handling in transaction storage. In a transaction mnesia:read/1 could indicate that exiting objects did not exist after another object was deleted.

OTP-16815

Application(s):

mnesia

Related Id(s):

ERIERL-500

Fixed crash during startup, which could happen if a table was deleted on another node.

Full runtime dependencies of mnesia-4.18: erts-9.0, kernel-5.3, stdlib-3.4

The observer-2.9.5 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16778

Application(s):

observer

Fix graph windows flickering on windows.

Full runtime dependencies of observer-2.9.5: erts-11.0, et-1.5, kernel-7.0, runtime_tools-1.8.14, stdlib-3.13, wx-1.2

The odbc-2.13.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16707

Application(s):

asn1, erl_interface, erts, odbc

Related Id(s):

PR-2638

Changes in order to build on the Haiku operating system.

Thanks to Calvin Buckley

Full runtime dependencies of odbc-2.13.1: erts-6.0, kernel-3.0, stdlib-2.0

The os_mon-2.6 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16798

Application(s):

os_mon

Related Id(s):

ERL-1327

memsup now returns the correct amount of system memory on macOS.

OTP-16742

Application(s):

os_mon

Fix memsup:get_os_wordsize/0 to return the current size on aarch64.

Full runtime dependencies of os_mon-2.6: erts-6.0, kernel-3.0, sasl-2.4, stdlib-2.0

The public_key-1.9 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16801

Application(s):

public_key

Related Id(s):

ERL-1309

Fixed an insignificant whitespace issue when decoding PEM file.

OTP-16448

Application(s):

public_key, ssl

Experimental OCSP client support.

OTP-16592

Application(s):

public_key

Use user returned path validation error for selfsigned cert. It allows users of the ssl application to customize the generated TLS alert, within the range of defined alerts.

OTP-16705

Application(s):

public_key

add API function to retrieve the subject-ID of an X509 certificate

Full runtime dependencies of public_key-1.9: asn1-3.0, crypto-3.8, erts-6.0, kernel-3.0, stdlib-3.5

The runtime_tools-1.15.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16787

Application(s):

runtime_tools

Related Id(s):

PR-2673

Fixed a crash in appmon_info triggered by trying to read port info from a port that was in the process of terminating.

appmon_info is used by observer to get information from the observed node.

Full runtime dependencies of runtime_tools-1.15.1: erts-11.0, kernel-7.0, mnesia-4.12, stdlib-3.13

The sasl-4.0.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16744

Application(s):

sasl

Related Id(s):

ERL-1247 , PR-2666

Make release_handler more resilient against exiting processes during upgrade.

Full runtime dependencies of sasl-4.0.1: erts-10.2, kernel-5.3, stdlib-3.4, tools-2.6.14

The snmp-5.6.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-15130

Application(s):

snmp

Related Id(s):

ERIERL-524 , OTP-16541

For agent fix PrivParams for SNMPv3 USM with AES privacy, as earlier fixed for the manager in OTP_16541.

OTP-15767

Application(s):

snmp

Related Id(s):

ERIERL-523

The SNMP Agent missed to re-activate datagram reception in an odd timeout case and went deaf. This bug has been fixed.

OTP-16716

Application(s):

snmp

Use of deprecated functions in example 2 has been removed (no more compiler warnings).

OTP-16760

Application(s):

snmp

Related Id(s):

ERIERL-511

A file descriptor leak has been plugged. When calling the reconfigure function of a mib, it opened the config file(s) but never closed them on successful read.

Full runtime dependencies of snmp-5.6.1: crypto-3.3, erts-6.0, kernel-3.0, mnesia-4.12, runtime_tools-1.8.14, stdlib-2.5

The ssh-4.10.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16761

Application(s):

ssh

Related Id(s):

PR-2679

Fixed a bug when a message to ssh-agent was divided into separate packets.

OTP-16791

Application(s):

ssh

Related Id(s):

ERIERL-520

Fix a bug that could crash the cli server if a too large cli-window was requested from the client.

OTP-14106

Application(s):

ssh

Increased test coverage.

OTP-16411

Application(s):

ssh

A chapter about hardening the OTP SSH is added to the User's Guide.

OTP-16774

Application(s):

crypto, ssh

The internal Diffie-Hellman high level API for key generation was slow in old and by OpenSSL now unsupported cryptolib versions (1.0.1 and earlier).

If such a cryptolib is used anyhow, the low-level API is used internally in the crypto application.

OTP-16803

Application(s):

ssh

A new timeout is defined for daemons: hello_timeout.

The timeout is supposed to be used as a simple DoS attack protection. It closes an incoming TCP-connection if no valid first SSH message is received from the client within the timeout limit after the TCP initial connection setup.

The initial value is 30s by compatibility reasons, but could be lowered if needed, for example in the code or in a config file.

Full runtime dependencies of ssh-4.10.1: crypto-4.6.4, erts-9.0, kernel-5.3, public_key-1.6.1, stdlib-3.4.1

The ssl-10.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16697

Application(s):

ssl

Related Id(s):

ERIERL-496

If a passive socket is created, ssl:recv/2,3 is never called and then the peer closes the socket the controlling process will no longer receive an active close message.

OTP-16764

Application(s):

ssl

Data deliver with ssl:recv/2,3 could fail for when using packet mode. This has been fixed by correcting the flow control handling of passive sockets when packet mode is used.

OTP-16765

Application(s):

ssl

This change fixes a potential man-in-the-middle vulnerability when the ssl client is configured to automatically handle session tickets ({session_tickets, auto}).

OTP-16767

Application(s):

ssl

Related Id(s):

ERIERL-512

Fix the internal handling of options 'verify' and 'verify_fun'.

This change fixes a vulnerability when setting the ssl option 'verify' to verify_peer in a continued handshake won't take any effect resulting in the acceptance of expired peer certificates.

OTP-16776

Application(s):

ssl

Related Id(s):

ERL-1316

This change fixes the handling of stateless session tickets when anti-replay is enabled.

OTP-16777

Application(s):

ssl

Related Id(s):

ERL-1317

Fix a crash due to the faulty handling of stateful session tickets received by servers expecting stateless session tickets.

This change also improves the handling of faulty/invalid tickets.

OTP-16837

Application(s):

ssl

Related Id(s):

ERL-1319 , OTP-16764

Correct flow ctrl checks from OTP-16764 to work as intended. Probably will not have a noticeable affect but will make connections more well behaved under some circumstances.

OTP-16851

Application(s):

ssl

Related Id(s):

PR-2703

Distribution over TLS could exhibit livelock-like behaviour when there is a constant stream of distribution messages. Distribution data is now chunked every 16 Mb to avoid that.

OTP-15855

Application(s):

ssl

Implement the cookie extension for TLS 1.3.

OTP-16448

Application(s):

public_key, ssl

Experimental OCSP client support.

OTP-16802

Application(s):

ssl

Related Id(s):

ERIERL-516

TLS 1.0 -TLS-1.2 sessions tables now have a absolute max value instead of using a shrinking mechanism when reaching the limit. To avoid out of memory problems under heavy load situations. Note that this change infers that implementations of ssl_session_cache_api needs to implement the size function (introduce in OTP 19) for session reuse to be optimally utilized.

Full runtime dependencies of ssl-10.1: crypto-4.2, erts-10.0, inets-5.10.7, kernel-6.0, public_key-1.8, stdlib-3.5

The stdlib-3.13.2 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16655

Application(s):

stdlib

The functions digraph:in_edges/2 and digraph:out_edges/2 would return false edges if called for a vertex that had a '_' atom in its name term.

OTP-16700

Application(s):

stdlib

filelib:wildcard("not-a-directory/..") should return an empty list. On Windows it returned "not-a-directory/..".

OTP-16739

Application(s):

stdlib

Fix the typespec of shell_docs:render to use the correct type for an MFA.

OTP-16751

Application(s):

stdlib

Related Id(s):

ERL-1283

Fix uri_string:recompose/1 when host is present but input path is not absolute.

This change prevents the recompose operation to change the top level domain of the host when the path does not start with a slash.

OTP-16816

Application(s):

stdlib

Related Id(s):

ERL-1310

The epp module would return a badly formed error term when an 'if' preprocessor directive referenced an undefined symbol. epp:format_error/1 would crash when called with the bad error term.

OTP-16830

Application(s):

stdlib

Related Id(s):

ERL-1334 , PR-2718

lists:sublist(List, Start, Len) failed with an exception if Start > length(List) + 1 even though it is explicitly documented that "It is not an error for Start+Len to exceed the length of the list".

Full runtime dependencies of stdlib-3.13.2: compiler-5.0, crypto-3.3, erts-11.0, kernel-7.0, sasl-3.0

The syntax_tools-2.3.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16732

Application(s):

syntax_tools

Related Id(s):

PR-2659

Minor documentation fix of erl_syntax:operator/1.

Full runtime dependencies of syntax_tools-2.3.1: compiler-7.0, erts-9.0, kernel-5.0, stdlib-3.4

The tools-3.4.1 application can be applied independently of other applications on a full OTP 23 installation.

OTP-16854

Application(s):

tools

Related Id(s):

PR-2750

Correct the Xref analysis locals_not_used to find functions called exclusively from on_load functions.

Full runtime dependencies of tools-3.4.1: compiler-5.0, erts-11.0, erts-9.1, kernel-5.4, runtime_tools-1.8.14, stdlib-3.4