chore(deps): update dependency erlang to v29.0.3 #169
No reviewers
Labels
No labels
Area
Editor
Area
Micropub
Compat
Breaking
Kind
Bug
Kind
Documentation
Kind
Enhancement
Kind
Feature
Kind
Infra
Kind
Security
Kind
Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
inhji/hajur!169
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/erlang-29.x"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
29.0.1→29.0.3Release Notes
erlang/otp (erlang)
v29.0.3: OTP 29.0.3Compare Source
Check out the git tag OTP-29.0.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
common_test-1.31.1
The common_test-1.31.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Fixed a crash in ct_netconfc that occurred when the remote server closed the SSH connection during NETCONF subsystem negotiation.
Own Id: OTP-20191
Related Id(s): ERIERL-1333, PR-11230
compiler-10.0.2
The compiler-10.0.2 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Several compiler bugs that could crash the compiler or generate incorrect code in rare circumstances have been fixed.
Own Id: OTP-20222
Related Id(s): PR-11219
crypto-5.9.1
The crypto-5.9.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
crypto:compute_key/4foreddhandcrypto:generate_key/2,3foreddh/eddsanow raise anerror:{notsup, Info, Description}exception instead of returning the atomnotsupwhen the underlying cryptolib lacks support.Own Id: OTP-20215
Related Id(s): PR-11302
dialyzer-6.0.2
The dialyzer-6.0.2 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Fix a bug with native record sets in
erl_types.erlOwn Id: OTP-20201
erts-17.0.3
The erts-17.0.3 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Fixed an undefined behavior in the internal
erts_qsort()function, which could have been the cause of a beam crash seen when updating large maps.Own Id: OTP-20185
Related Id(s): PR-11215
Calculating
bxorof the largest supported positive integer (erlang:system_info(max_integer)) and-1would return[]instead of a raising asystem_limitexception.Own Id: OTP-20208
Related Id(s): PR-11269
Fix possible race between
ets:delete/1and terminating process with a fixation on the same table.Own Id: OTP-20217
Related Id(s): PR-11283
A few code generation issues for the JIT on AArch64 (ARM64) have been fixed.
For all platforms, the loader will reject some invalid BEAM files earlier.
Own Id: OTP-20226
Related Id(s): PR-11299
On 32-bit computers, the
md5BIFs would return an incorrect MD5 checksum for data of size 4GiB or more.Own Id: OTP-20227
Related Id(s): PR-11289
kernel-11.0.3
The kernel-11.0.3 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
inet:info/1 could crash when calling for a closing (port) socket.
Own Id: OTP-20173
Handling of the truncation bit in
inet_reshas been fixed so it properly falls back to querying over TCP after a truncated UDP reply.This fixes a bug introduced in OTP-28.4.2 - kernel-10.6.2 making a truncated UDP answer fail to parse and never execute the fallback, instead the name resolve operation fails.
Own Id: OTP-20199
Related Id(s): PR-11247
public_key-1.21.3
The public_key-1.21.3 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Hardened OCSP response verification by using constant-time hash comparisons and rejecting responses exceeding 100 KB before ASN.1 decoding.
Own Id: OTP-20197
Related Id(s): PR-11239
ssh-6.0.2
The ssh-6.0.2 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Fixed a path-existence oracle in the SFTP server where
SSH_FXP_REALPATHrequests with..components could bypass the configured root directory isolation, allowing an authenticated client to determine whether arbitrary paths exist on the host filesystem.Own Id: OTP-20183
Related Id(s): GH-SA-h9pw-h5w4-h976, PR-11294, CVE-2026-53422
Fixed an infinite loop in the SFTP server triggered when receiving
SSH_MSG_CHANNEL_EXTENDED_DATAon an SFTP channel, which caused the channel process to spin indefinitely on CPU without consuming its message queue.Own Id: OTP-20186
Related Id(s): GH-SA-7wp4-pc27-2vj9, PR-11295, CVE-2026-54886
Fixed mlkem768x25519 hybrid key exchange failing intermittently with "incorrect signature" when the X25519 shared secret had a leading zero byte. The shared secret is now encoded as a fixed-width 32-byte string per the specification.
Own Id: OTP-20196
Related Id(s): PR-11209
Fixed a race condition where SSH keepalive responses could be matched to unrelated pending requests due to incorrect request queue ordering. Requests are now matched in the order they were sent.
Own Id: OTP-20198
Related Id(s): PR-11244
The SFTP server now caps the read length in
SSH_FXP_READrequests to 255 KiB (matching OpenSSH'sSFTP_MAX_READ_LENGTH), preventing excessive memory allocation when clients request large reads.Own Id: OTP-20200
Related Id(s): PR-11259
Removed a server-side workaround (OTP-14827, introduced in OTP 20) that accepted SHA-1 user-auth signatures from clients identifying as OpenSSH 7.x when rsa-sha2-* was negotiated. The workaround addressed a distro-specific build issue in 2017 that no longer exists. Clients affected by this removal (extremely unlikely — requires a 10-year-old unpatched OpenSSH build) will see authentication failures and must upgrade.
Own Id: OTP-20206
Related Id(s): PR-11268
ssl-11.7.3
Note! The ssl-11.7.3 application cannot be applied independently of other applications on an arbitrary OTP 29 installation.
Fixed Bugs and Malfunctions
Correct small behavior bugs that occasionally could cause DTLS connection errors, unwanted behavior for legacy DHE_DSS, hiding of a distribution config error, and possible unorderly process tree shutdown.
Own Id: OTP-20190
Related Id(s): PR-11250
Initialize DTLS cookie to random value to avoid DoS attack with forged cookie during startup window.
Own Id: OTP-20194
Related Id(s): PR-11271, CVE-2026-54887
Guard TLS client for MITM injection of application data during "plain-text-window" during handshake.
Own Id: OTP-20207
Related Id(s): PR-11270, CVE-2026-54891
Improve error handling of TLS PSK sending ILLIGAL_PARMETER alert if binders and PSK-identities are not matched. Also mend recovery mechanism of ticket and session stores to be as resilient as possible to intermediate bugs.
Own Id: OTP-20216
Related Id(s): PR-11282, CVE-2026-55952
Fix race condition that could be used to DoS attack DTLS servers.
Own Id: OTP-20220
Related Id(s): PR-11306, CVE-2026-55950
A TLS-1.3 stateless session ticket with obfuscated_ticket_age set to zero was incorrectly accepted without checking the server-side ticket lifetime or the RFC 8446 Section 8.3 freshness window. The server now always validates ticket age using its own timestamp regardless of the client-reported age value.
Own Id: OTP-20230
Related Id(s): PR-11307
TLS-1.3 client rejects a second HelloRetryRequest as requiered in RFC 8446 Section 4.1.4
Own Id: OTP-20231
Related Id(s): PR-11309
A busy client node could self-trigger a ticket store crash if unlucky with scheduling if auto mode is used.
Own Id: OTP-20232
Related Id(s): PR-11311
Correct spec for CRL API
Own Id: OTP-20233
Related Id(s): PR-11281
stdlib-8.0.2
The stdlib-8.0.2 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Several compiler bugs that could crash the compiler or generate incorrect code in rare circumstances have been fixed.
Own Id: OTP-20222
Related Id(s): PR-11219
Thanks to
Cole Christensen, Nick Krichevsky, Stefan Grundmann
v29.0.2: OTP 29.0.2Compare Source
Check out the git tag OTP-29.0.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
dialyzer-6.0.1
The dialyzer-6.0.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Fix native record bugs in Dialyzer
Own Id: OTP-20178
Related Id(s): PR-11199
diameter-2.7.1
The diameter-2.7.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Fixed return value documentation of
diameter:service_info(SvcName, statistics)Own Id: OTP-20150
Related Id(s): GH-11105, PR-11146
erl_interface-5.8.1
The erl_interface-5.8.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Fixed stack overflow in
ei_s_print_termfor very big integer terms (> 2000 hexadecimal digits long).Own Id: OTP-20160
Related Id(s): GH-SA-xcxj-5pg2-v72j, PR-11193, CVE-2026-49760
erts-17.0.2
The erts-17.0.2 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
A buffer overflow error when parsing SCTP ERROR or ABORT chunks has been fixed.
This could lead to stack corruption and VM crash, but ultimately with hard work by an attacker be refined into maybe even remote code execution.
Own Id: OTP-20165
Related Id(s): GH-SA-6f4f-chj5-5g97, PR-1234, CVE-2026-49759
ftp-1.2.6
The ftp-1.2.6 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
FTP client default connections that use the so called passive mode of FTP fails to properly validating the response IP of the server, hence a malicious or compromised FTP server could redirect the data connection to an arbitrary host, enabling s server-side request forgery (SSRF) and FTP bounce attacks.
Own Id: OTP-20166
Related Id(s): GH-SA-24cv-hwgr-37fq, PR-11186, CVE-2026-48858
inets-9.7.1
The inets-9.7.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
The HTTP client (httpc) now removes Authorization, Proxy-Authorization, Cookie, Referer, and Origin headers when following a redirect to a different host or port. Previously these headers were forwarded verbatim, potentially leaking credentials to unintended targets.
This follows the requirements of RFC 9110 §15.4.
Own Id: OTP-20155
Related Id(s): GH-SA-m75x-4vwg-ggjh, PR-11212, CVE-2026-48856
kernel-11.0.2
The kernel-11.0.2 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
gen_tcp_socket accept should explicitly inherit the same options as plain gen_tcp.
Own Id: OTP-20057
mnesia-4.26.1
The mnesia-4.26.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Fixed docs of
mnesia:write/3to clarify when a transaction can terminate.Own Id: OTP-20149
Related Id(s): GH-11104, PR-11145
public_key-1.21.2
The public_key-1.21.2 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Add missing macro reference for legacy algorithms md5 and sha224. This mainly improves error handling.
Own Id: OTP-20172
Related Id(s): PR-11195
ssh-6.0.1
The ssh-6.0.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Fixed a timing-based username enumeration vulnerability during password authentication with the user_passwords option. A dummy PBKDF2 computation is now performed for invalid usernames to match the response time of valid ones.
Own Id: OTP-20153
Related Id(s): GH-SA-3w6p-vwhf-wvp4, PR-11157, CVE-2026-48859
Fixed SSH_FXP_READLINK handler in ssh_sftpd to strip the backend root prefix from symlink targets before returning them to the client, preventing disclosure of the server's absolute filesystem path when the root option is configured.
Own Id: OTP-20162
Related Id(s): GH-SA-pv7g-pjrq-x2fh, PR-11192, CVE-2026-48855
Fixed a race condition where SSH keep-alive responses could consume pending channel open requests, causing channel setup to fail silently.
Own Id: OTP-20181
Related Id(s): PR-11205
ssl-11.7.2
Note! The ssl-11.7.2 application cannot be applied independently of other applications on an arbitrary OTP 29 installation.
Fixed Bugs and Malfunctions
Fix miscellanies issues that could cause unnecessary memory consumption and in some less common scenarios or configurations cause connection failures.
Own Id: OTP-20154
Related Id(s): PR-11148
Erlang distribution over TLS run with the kernel 'check_ip' flag now properly enforce connecting nodes to be on the same LAN.
Own Id: OTP-20156
Related Id(s): GH-SA-gp7x-mfv6-52cv, PR-11181, CVE-2026-48860
Enhance error message, by fixing typo of atom in new error message related to `public_key` CVE-2026-42790 solution.
Own Id: OTP-20161
Related Id(s): PR-11148
Corrected SNI handling for TLS-1.3 only server, could cause connection failures if supported signature algorithms where changed by SNI option update.
Own Id: OTP-20174
Related Id(s): PR-27384
stdlib-8.0.1
The stdlib-8.0.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Fix a bug where a tuple record operation within a native record anonymous update can crash.
Own Id: OTP-20151
Related Id(s): PR-11141
Fixed some bugs in
io_lib:bformat/2and native record printing.Own Id: OTP-20170
Related Id(s): PR-11154
tools-4.2.1
The tools-4.2.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
Xref could crash instead of returning an appropriate error tuple when asked to open a BEAM file without debug information but with a
moduledoc(false)attribute.Own Id: OTP-20163
Related Id(s): GH-11152, PR-11168
Thanks to
John Downey, Jonatan Männchen
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.
Update dependency erlang to v29.0.2to chore(deps): update dependency erlang to v29.0.2chore(deps): update dependency erlang to v29.0.2to Update dependency erlang to v29.0.2Update dependency erlang to v29.0.2to chore(deps): update dependency erlang to v29.0.2chore(deps): update dependency erlang to v29.0.2to Update dependency erlang to v29.0.2Update dependency erlang to v29.0.2to chore(deps): update dependency erlang to v29.0.2chore(deps): update dependency erlang to v29.0.2to Update dependency erlang to v29.0.2Update dependency erlang to v29.0.2to chore(deps): update dependency erlang to v29.0.2chore(deps): update dependency erlang to v29.0.2to chore(deps): update dependency erlang to v29.0.3799d966c53to20c203618920c2036189toe6ef7e2b4be6ef7e2b4bto29c7ef2253View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.