Erlang/OTP 27.3.4.3

This release of Erlang/OTP can be built from source or installed using pre-built packages for your OS or third-party tools (such as kerl, asdf or mise).

docker run -it erlang:27.3.4.3
Erlang/OTP 27.3.4.3
View on github.com
Patch Package OTP 27.3.4.3
Git Tag OTP-27.3.4.3
Date 2025-09-10
Issue Id
CVE-2025-48038
CVE-2025-48039
CVE-2025-48040
CVE-2025-48041
System OTP
Release 27
Application
Potential Incompatibilities

Potential Incompatibilities #

OTP-19701
Application(s):
ssh
Related Id(s):

PR-10157, CVE-2025-48041

Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

OTP-19741
Application(s):
ssh
Related Id(s):

PR-10162, CVE-2025-48040

Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

OTP-19742
Application(s):
ssh
Related Id(s):

PR-10155, CVE-2025-48039

A new ‘max_path’ option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

OTP-19748
Application(s):
ssh
Related Id(s):

PR-10156, CVE-2025-48038

Reject file handles exceeding size specified in RFCs (256 bytes).

compiler-8.6.1.2 #

The compiler-8.6.1.2 application can be applied independently of other applications on a full OTP 27 installation.

OTP-19722
Related Id(s):

GH-10077, PR-10090

In rare circumstances, the compiler could crash when compiling code using bit syntax construction.

Full runtime dependencies of compiler-8.6.1.2

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

debugger-5.5.0.1 #

The debugger-5.5.0.1 application can be applied independently of other applications on a full OTP 27 installation.

OTP-19719
Related Id(s):

GH-10057, PR-10066

Fix unbound error in interpreted modules

Full runtime dependencies of debugger-5.5.0.1

compiler-8.0, erts-15.0, kernel-10.0, stdlib-3.15, wx-2.0

erts-15.2.7.2 #

The erts-15.2.7.2 application can be applied independently of other applications on a full OTP 27 installation.

OTP-19728
Related Id(s):

GH-10072, PR-10093

As an optimization, when the unicode:characters_to_binary/3 was used to convert from latin1 to utf8 or vice versa, it would return the original binary unchanged if it only contained 7-bit ASCII characters. That otpimization was broken in Erlang/OTP 27, and has now been mended.

Full runtime dependencies of erts-15.2.7.2

kernel-9.0, sasl-3.3, stdlib-4.1

inets-9.3.2.1 #

The inets-9.3.2.1 application can be applied independently of other applications on a full OTP 27 installation.

OTP-19729
Related Id(s):

GH-3392, PR-6223

Fixed a bug where a request sent to httpd server which is using CGI script to generate a response, would pollute server’s environment variable - HTTP_PROXY for that request. This bug is also known as httpoxy. More information: CVE-2016-1000107

OTP-19760
Related Id(s):

GH-10065, PR-10120

Fixed a RFC 2616 violation, where a http request, made by httpc, without providing any options, would be sent with an empty TE header, without also having a TE value in the connection header. Now the default request doesn’t send a TE header at all.

Full runtime dependencies of inets-9.3.2.1

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

ssh-5.2.11.3 #

The ssh-5.2.11.3 application can be applied independently of other applications on a full OTP 27 installation.

OTP-19701
POTENTIAL INCOMPATIBILITY
 

Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

OTP-19741
POTENTIAL INCOMPATIBILITY
 

Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

OTP-19742
POTENTIAL INCOMPATIBILITY
 

A new ‘max_path’ option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

OTP-19748
POTENTIAL INCOMPATIBILITY
 

Reject file handles exceeding size specified in RFCs (256 bytes).

Full runtime dependencies of ssh-5.2.11.3

crypto-5.0, erts-14.0, kernel-9.0, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

syntax_tools-3.2.2.1 #

The syntax_tools-3.2.2.1 application can be applied independently of other applications on a full OTP 27 installation.

OTP-19740
Related Id(s):

GH-10103, PR-10118

Backport fix for annotating maybe to OTP-27

Full runtime dependencies of syntax_tools-3.2.2.1

compiler-7.0, erts-9.0, kernel-5.0, stdlib-4.0

Thanks To #

Marcel Lanz, Savvas Nicholas