NEWS

Written by Henrik, 16 Dec 2020

Erlang/OTP 23.2 is the second maintenance patch release for OTP 23, with mostly bug fixes as well as a few improvements.

A few of the changes and highlights are:

SSL

Handle extraneous certs in certificate chains as well as chains that are incomplete but can be reconstructed or unordered chains. The cert and certfile options will now accept a list of certificates so that the user may specify the chain explicitly.

Potential incompatibility

stdlib

Improved the API and documentation of the uri_string module. Added a new chapter to the Users Guide about Uniform Resource Identifiers and their handling with the new API. Added two new API functions: uri_string:allowed_characters/0 and uri_string:percent_decode/1.

This change has been marked as potentially incompatible as uri_string:normalize/2 used to decode percent-encoded character triplets that corresponded to characters not in the reserved set. After this change, uri_string:normalize/2 will only decode those percent-encoded triplets that correspond to characters in the unreserved set (ALPHA / DIGIT / "-" / "." / "_" / "~").

A full list of bug fixes and improvements in the readme.

Download and documentation

Online documentation can be browsed here:
https://erlang.org/documentation/doc-11.1.4/doc

Pre-built versions for Windows can be fetched here:
https://erlang.org/download/otp_win32_23.2.exe
https://erlang.org/download/otp_win64_23.2.exe

The Erlang/OTP source can also be found at GitHub on the official Erlang repository:
https://github.com/erlang/otp

Tags: [ release OTP 23 ]

Written by Henrik, 23 Sep 2020

OTP 23.1

Erlang/OTP 23.1 is a the first maintenance patch release for OTP 23, with mostly bug fixes as well as a few improvements.

Vulnerability fix

A vulnerability in the httpd module (inets application) regarding directory traversal that was introduced in OTP 22.3.1 and corrected in OTP 22.3.4.6. It was also introduced in OTP 23.0 and corrected in OTP 23.1 The vulnerability is registered as CVE-2020-25623.
The vulnerability is only exposed if the http server (httpd) in the inets application is used. The vulnerability makes it possible to read arbitrary files which the Erlang system has read access to with for example a specially prepared http request.

General build issues

Adjust /bin/sh to /system/bin/sh in scripts when installing on Android.
Changes in build system to make it build for macOS 11.0 with Apple Silicon. Also corrected execution of match specs to work on Apple Silicon.

Full list of bug fixes and improvements in the readme.

http://erlang.org/download/OTP-23.1.README

Download and doc

Pre built versions for Windows can be fetched here:
http://erlang.org/download/otp_win32_23.1.exe
http://erlang.org/download/otp_win64_23.1.exe

Online documentation can be browsed here:
http://erlang.org/documentation/doc-11.1/doc
The Erlang/OTP source can also be found at GitHub on the official Erlang repository,
https://github.com/erlang/otp

Tags: [ release OTP 23 ]