| Patch Package | OTP 28.4.3 |
| Git Tag | OTP-28.4.3 |
| Date | 2026-04-21 |
| Issue Id | |
| System | OTP |
| Release | 28 |
| Application |
kernel-10.6.3 #
The kernel-10.6.3 application can be applied independently of other applications on a full OTP 28 installation.
- OTP-20104
-
- Related Id(s):
On Windows, sockets has to be bound when using ‘socket’. Therefor when using gen_tcp with inet_backend = socket, gen_tcp_socket bind even if the caller has not provided an explicit bind address. In that case it attempts to locate a “proper” address on its own. But if the connect address is the loopback address, this could lead to an attempt to bind to an external interface. So, this has now been changed so that if the connect address is the loopback address, the loopback address will also be used when binding.
Full runtime dependencies of kernel-10.6.3
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0
ssh-5.5.2 #
Note! The ssh-5.5.2 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependency has to be satisfied:
-- crypto-5.7 (first satisfied in OTP 28.1)
- OTP-20081
-
- Related Id(s):
Fixed a vulnerability in the SFTP server where file attributes could be modified outside the configured root directory. When using FSETSTAT on an open file handle, the operation used the path stored in the handle without verifying it was within the root directory, allowing attribute changes to files outside the chroot boundary.
Thanks to John Downey.
Full runtime dependencies of ssh-5.5.2
crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0