Erlang/OTP 29.0.1

OTP-20130

Application(s):

public_key, ssl

Related Id(s):

PR-11124, CVE-2026-42790

‘public_key’, Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.

‘ssl’. Error handling is slightly changed to better reflect public_key behaviour.

The compiler-10.0.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20140

Related Id(s):

GH-11088, PR-11089

In rare circumstances, optimization of boolean expressions could invert the boolean value.

OTP-20146

Related Id(s):

PR-11135

The compiler could crash when compiling code using native records in certain ways.

Full runtime dependencies of compiler-10.0.1

crypto-5.1, erts-13.0, kernel-8.4, stdlib-8.0

The erts-17.0.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20139

Related Id(s):

PR-11107

Comparison of two native records could return an incorrect result or crash the runtime system.

Full runtime dependencies of erts-17.0.1

kernel-9.0, sasl-3.3, stdlib-4.1

The kernel-11.0.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20134

Related Id(s):

PR-11007

SCTP peeloff of an IPv6 socket, the peeled-off socket does not inherit the parent options as expected.

Full runtime dependencies of kernel-11.0.1

crypto-5.8, erts-17.0, sasl-3.0, stdlib-8.0

The public_key-1.21.1 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20112

Related Id(s):

PR-11136

OCSP responder certificates are now checked for expiration before being accepted as authorized responders. Previously, expired or not-yet-valid responder certificates were incorrectly accepted when verifying OCSP responses.

OTP-20129

Related Id(s):

PR-11123, CVE-2026-42789

Corrected basic constraint path validation check in accordance to RFC 5280.

OTP-20130

POTENTIAL INCOMPATIBILITY

 

‘public_key’, Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.

‘ssl’. Error handling is slightly changed to better reflect public_key behaviour.

Full runtime dependencies of public_key-1.21.1

asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0

The snmp-5.20.4 application can be applied independently of other applications on a full OTP 29 installation.

OTP-20138

Related Id(s):

ERIERL-1321, PR-11100

Fixed a bug in snmpm_usm:generate_outgoing_msg/5 that caused a badmatch crash when constructing an error response for an unknown user/engineID combination.

Full runtime dependencies of snmp-5.20.4

asn1-5.4, crypto-4.6, erts-12.0, kernel-8.0, mnesia-4.12, runtime_tools-1.8.14, stdlib-5.0

Note! The ssl-11.7.1 application cannot be applied independently of other applications on an arbitrary OTP 29 installation.

   On a full OTP 29 installation, also the following runtime
   dependency has to be satisfied:
   -- public_key-1.21.1 (first satisfied in OTP 29.0.1)

OTP-20130

POTENTIAL INCOMPATIBILITY

 

‘public_key’, Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.

‘ssl’. Error handling is slightly changed to better reflect public_key behaviour.

OTP-20141

Related Id(s):

PR-11125

Could cause server to terminate a connection without an alert towards a bad client.

Full runtime dependencies of ssl-11.7.1

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.21.1, runtime_tools-1.15.1, stdlib-7.0

Martin Hässler, Paul Guyot