Merge branch 'maint-28' into maint

Jakub Witczak · Jakub Witczak · commit 909d00633aa1 · 2025-09-10T16:24:44.000+02:00
* maint-28:
  Updated OTP version
  Prepare release
diff --git a/OTP_VERSION b/OTP_VERSION
@@ -1 +1 @@
-28.0.2
+28.0.3
diff --git a/erts/doc/notes.md b/erts/doc/notes.md
@@ -23,6 +23,21 @@ limitations under the License.
 
 This document describes the changes made to the ERTS application.
 
+## Erts 16.0.3
+
+### Fixed Bugs and Malfunctions
+
+- Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on regular expressions with `(*scs:)` and `(*ACCEPT)` syntax combined.
+
+  Own Id: OTP-19755 Aux Id: [CVE-2025-58050]
+
+- Fixed bug that could cause crash in beam started with `erl -emu_type debug +JPperf true` with any type of tracing return from function.
+
+  Own Id: OTP-19761 Aux Id: [PR-19755]
+
+[CVE-2025-58050]: https://nvd.nist.gov/vuln/detail/2025-58050
+[PR-19755]: https://github.com/erlang/otp/pull/19755
+
 ## Erts 16.0.2
 
 ### Fixed Bugs and Malfunctions
diff --git a/erts/vsn.mk b/erts/vsn.mk
@@ -20,7 +20,7 @@
 # %CopyrightEnd%
 # 
 
-VSN = 16.0.2
+VSN = 16.0.3
 
 # Port number 4365 in 4.2
 # Port number 4366 in 4.3
diff --git a/lib/diameter/doc/notes.md b/lib/diameter/doc/notes.md
@@ -23,6 +23,16 @@ limitations under the License.
 
 Releases are listed in reverse chronological order, most recent first.
 
+## diameter 2.5.1
+
+### Fixed Bugs and Malfunctions
+
+- With this change message_cb callback will be called with updated state for processing 'ack' after 'send'.
+
+  Own Id: OTP-19753 Aux Id: [PR-9815]
+
+[PR-9815]: https://github.com/erlang/otp/pull/9815
+
 ## diameter 2.5
 
 ### Fixed Bugs and Malfunctions
diff --git a/lib/diameter/vsn.mk b/lib/diameter/vsn.mk
@@ -19,5 +19,5 @@
 # %CopyrightEnd%
 
 APPLICATION  = diameter
-DIAMETER_VSN = 2.5
+DIAMETER_VSN = 2.5.1
 APP_VSN      = $(APPLICATION)-$(DIAMETER_VSN)$(PRE_VSN)
diff --git a/lib/ssh/doc/notes.md b/lib/ssh/doc/notes.md
@@ -21,6 +21,43 @@ limitations under the License.
 -->
 # SSH Release Notes
 
+## Ssh 5.3.3
+
+### Fixed Bugs and Malfunctions
+
+- Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).
+
+  *** POTENTIAL INCOMPATIBILITY ***
+
+  Own Id: OTP-19701 Aux Id: [CVE-2025-48041], [PR-10157]
+
+- Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.
+
+  *** POTENTIAL INCOMPATIBILITY ***
+
+  Own Id: OTP-19741 Aux Id: [CVE-2025-48040], [PR-10162]
+
+- A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.
+
+  *** POTENTIAL INCOMPATIBILITY ***
+
+  Own Id: OTP-19742 Aux Id: [CVE-2025-48039], [PR-10155]
+
+- Reject file handles exceeding size specified in RFCs (256 bytes).
+
+  *** POTENTIAL INCOMPATIBILITY ***
+
+  Own Id: OTP-19748 Aux Id: [CVE-2025-48038], [PR-10156]
+
+[CVE-2025-48041]: https://nvd.nist.gov/vuln/detail/2025-48041
+[PR-10157]: https://github.com/erlang/otp/pull/10157
+[CVE-2025-48040]: https://nvd.nist.gov/vuln/detail/2025-48040
+[PR-10162]: https://github.com/erlang/otp/pull/10162
+[CVE-2025-48039]: https://nvd.nist.gov/vuln/detail/2025-48039
+[PR-10155]: https://github.com/erlang/otp/pull/10155
+[CVE-2025-48038]: https://nvd.nist.gov/vuln/detail/2025-48038
+[PR-10156]: https://github.com/erlang/otp/pull/10156
+
 ## Ssh 5.3.2
 
 ### Fixed Bugs and Malfunctions
diff --git a/lib/ssh/vsn.mk b/lib/ssh/vsn.mk
@@ -1,6 +1,6 @@
 #-*-makefile-*-   ; force emacs to enter makefile-mode
 
-SSH_VSN = 5.3.2
+SSH_VSN = 5.3.3
 APP_VSN    = "ssh-$(SSH_VSN)"
 
 # %CopyrightBegin%
diff --git a/lib/stdlib/doc/notes.md b/lib/stdlib/doc/notes.md
@@ -23,6 +23,16 @@ limitations under the License.
 
 This document describes the changes made to the STDLIB application.
 
+## STDLIB 7.0.3
+
+### Fixed Bugs and Malfunctions
+
+- Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on regular expressions with `(*scs:)` and `(*ACCEPT)` syntax combined.
+
+  Own Id: OTP-19755 Aux Id: [CVE-2025-58050]
+
+[CVE-2025-58050]: https://nvd.nist.gov/vuln/detail/2025-58050
+
 ## STDLIB 7.0.2
 
 ### Fixed Bugs and Malfunctions
diff --git a/lib/stdlib/src/stdlib.app.src b/lib/stdlib/src/stdlib.app.src
@@ -122,6 +122,6 @@
                dets]},
   {applications, [kernel]},
   {env, []},
-  {runtime_dependencies, ["sasl-3.0","kernel-10.0","erts-@OTP-19755@","crypto-4.5",
+  {runtime_dependencies, ["sasl-3.0","kernel-10.0","erts-16.0.3","crypto-4.5",
 			  "compiler-5.0", "syntax_tools-3.2.1"]}
 ]}.
diff --git a/lib/stdlib/src/stdlib.appup.src b/lib/stdlib/src/stdlib.appup.src
@@ -55,7 +55,8 @@
   {<<"^6\\.2\\.2(?:\\.[0-9]+)*$">>,[restart_new_emulator]},
   {<<"^7\\.0$">>,[restart_new_emulator]},
   {<<"^7\\.0\\.0(?:\\.[0-9]+)+$">>,[restart_new_emulator]},
-  {<<"^7\\.0\\.1(?:\\.[0-9]+)*$">>,[restart_new_emulator]}],
+  {<<"^7\\.0\\.1(?:\\.[0-9]+)*$">>,[restart_new_emulator]},
+  {<<"^7\\.0\\.2(?:\\.[0-9]+)*$">>,[restart_new_emulator]}],
  [{<<"^5\\.0$">>,[restart_new_emulator]},
   {<<"^5\\.0\\.0(?:\\.[0-9]+)+$">>,[restart_new_emulator]},
   {<<"^5\\.0\\.1(?:\\.[0-9]+)*$">>,[restart_new_emulator]},
@@ -81,4 +82,5 @@
   {<<"^6\\.2\\.2(?:\\.[0-9]+)*$">>,[restart_new_emulator]},
   {<<"^7\\.0$">>,[restart_new_emulator]},
   {<<"^7\\.0\\.0(?:\\.[0-9]+)+$">>,[restart_new_emulator]},
-  {<<"^7\\.0\\.1(?:\\.[0-9]+)*$">>,[restart_new_emulator]}]}.
+  {<<"^7\\.0\\.1(?:\\.[0-9]+)*$">>,[restart_new_emulator]},
+  {<<"^7\\.0\\.2(?:\\.[0-9]+)*$">>,[restart_new_emulator]}]}.
diff --git a/lib/stdlib/vsn.mk b/lib/stdlib/vsn.mk
@@ -1,4 +1,4 @@
-STDLIB_VSN = 7.0.2
+STDLIB_VSN = 7.0.3
 
 # %CopyrightBegin%
 #
diff --git a/make/otp_version_tickets_in_merge b/make/otp_version_tickets_in_merge
@@ -0,0 +1,7 @@
+OTP-19701
+OTP-19741
+OTP-19742
+OTP-19748
+OTP-19753
+OTP-19755
+OTP-19761
diff --git a/otp_versions.table b/otp_versions.table
@@ -1,3 +1,4 @@
+OTP-28.0.3 : diameter-2.5.1 erts-16.0.3 ssh-5.3.3 stdlib-7.0.3 # asn1-5.4.1 common_test-1.28 compiler-9.0.1 crypto-5.6 debugger-6.0.2 dialyzer-5.4 edoc-1.4 eldap-1.2.16 erl_interface-5.6 et-1.7.2 eunit-2.10 ftp-1.2.4 inets-9.4 jinterface-1.15 kernel-10.3.2 megaco-4.8 mnesia-4.24 observer-2.18 odbc-2.16 os_mon-2.11 parsetools-2.7 public_key-1.18.2 reltool-1.0.2 runtime_tools-2.2 sasl-4.3 snmp-5.19 ssl-11.3.2 syntax_tools-4.0 tftp-1.2.3 tools-4.1.2 wx-2.5.1 xmerl-2.1.5 :
 OTP-28.0.2 : compiler-9.0.1 debugger-6.0.2 erts-16.0.2 kernel-10.3.2 public_key-1.18.2 ssh-5.3.2 ssl-11.3.2 stdlib-7.0.2 wx-2.5.1 # asn1-5.4.1 common_test-1.28 crypto-5.6 dialyzer-5.4 diameter-2.5 edoc-1.4 eldap-1.2.16 erl_interface-5.6 et-1.7.2 eunit-2.10 ftp-1.2.4 inets-9.4 jinterface-1.15 megaco-4.8 mnesia-4.24 observer-2.18 odbc-2.16 os_mon-2.11 parsetools-2.7 reltool-1.0.2 runtime_tools-2.2 sasl-4.3 snmp-5.19 syntax_tools-4.0 tftp-1.2.3 tools-4.1.2 xmerl-2.1.5 :
 OTP-28.0.1 : asn1-5.4.1 debugger-6.0.1 eldap-1.2.16 erts-16.0.1 kernel-10.3.1 public_key-1.18.1 ssh-5.3.1 ssl-11.3.1 stdlib-7.0.1 xmerl-2.1.5 # common_test-1.28 compiler-9.0 crypto-5.6 dialyzer-5.4 diameter-2.5 edoc-1.4 erl_interface-5.6 et-1.7.2 eunit-2.10 ftp-1.2.4 inets-9.4 jinterface-1.15 megaco-4.8 mnesia-4.24 observer-2.18 odbc-2.16 os_mon-2.11 parsetools-2.7 reltool-1.0.2 runtime_tools-2.2 sasl-4.3 snmp-5.19 syntax_tools-4.0 tftp-1.2.3 tools-4.1.2 wx-2.5 :
 OTP-28.0 : asn1-5.4 common_test-1.28 compiler-9.0 crypto-5.6 debugger-6.0 dialyzer-5.4 diameter-2.5 edoc-1.4 eldap-1.2.15 erl_interface-5.6 erts-16.0 et-1.7.2 eunit-2.10 ftp-1.2.4 inets-9.4 jinterface-1.15 kernel-10.3 megaco-4.8 mnesia-4.24 observer-2.18 odbc-2.16 os_mon-2.11 parsetools-2.7 public_key-1.18 reltool-1.0.2 runtime_tools-2.2 sasl-4.3 snmp-5.19 ssh-5.3 ssl-11.3 stdlib-7.0 syntax_tools-4.0 tftp-1.2.3 tools-4.1.2 wx-2.5 xmerl-2.1.4 # :

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@`
`20`	`20`	`# %CopyrightEnd%`
`21`	`21`	`#`
`22`	`22`
`23`		`-VSN = 16.0.2`
	`23`	`+VSN = 16.0.3`
`24`	`24`
`25`	`25`	`# Port number 4365 in 4.2`
`26`	`26`	`# Port number 4366 in 4.3`