Update dependency erlang to v28

[renovate]

This PR contains the following updates:

Package	Update	Change
erlang	major	27.3.4 -> 28.1.1

---

Release Notes

erlang/otp (erlang)

v28.1.1: OTP 28.1.1

Compare Source

Patch Package:           OTP 28.1.1
Git Tag:                 OTP-28.1.1
Date:                    2025-10-20
Trouble Report Id:       OTP-19768, OTP-19771, OTP-19774, OTP-19780,
                         OTP-19790, OTP-19791, OTP-19792, OTP-19796,
                         OTP-19799, OTP-19806
Seq num:                 ERERL-1261, ERIERL-1251, ERIERL-1264,
                         GH-10150, GH-10191, GH-10212, GH-10217,
                         PR-10182, PR-10194, PR-10201, PR-10221,
                         PR-10241, PR-10245, PR-10248, PR-10249,
                         PR-10274, PR-9970
System:                  OTP
Release:                 28
Application:             diameter-2.5.2, erts-16.1.1, kernel-10.4.1,
                         ssl-11.4.1, xmerl-2.1.7
Predecessor:             OTP 28.1

Check out the git tag OTP-28.1.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

OTP-28.1.1

Improvements and New Features

• When building OTP, some applications may be skipped due to lacking dependencies, or due to user choice. Such skipped applications are excluded from the docs build step and a placeholder page is displayed in their stead.

  Own Id: OTP-19771
  Related Id(s): ERIERL-1251, PR-10194

diameter-2.5.2

The diameter-2.5.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Added documentation about 'proxy' and 'resend' options in diameter:handle_request/3

  Own Id: OTP-19768
  Related Id(s): GH-10150, PR-10182

Full runtime dependencies of diameter-2.5.2

erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0

erts-16.1.1

The erts-16.1.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed the erl documentation of the default timewarp mode used.

  Own Id: OTP-19790
  Related Id(s): PR-9970

• The erlang:suspend_process() BIFs failed to suspend processes currently executing on dirty schedulers.

  Own Id: OTP-19799
  Related Id(s): PR-10241

Full runtime dependencies of erts-16.1.1

kernel-9.0, sasl-3.3, stdlib-4.1

kernel-10.4.1

The kernel-10.4.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• With this change group.erl will not crash when receiving unknown message.

  Own Id: OTP-19796
  Related Id(s): ERIERL-1264, PR-10248

Full runtime dependencies of kernel-10.4.1

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0

ssl-11.4.1

Note! The ssl-11.4.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependencies have to be satisfied:
   -- crypto-5.7 (first satisfied in OTP 28.1)
   -- public_key-1.18.3 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

• Fixed so that sending of application data will adhere to max_fragment_length. This was broken in OTP-27 release by an optimization.

  Own Id: OTP-19774
  Related Id(s): GH-10191, PR-10201

• PR-10046 put to hard requirements on key file content. Make sure same file can be used as keyfile and certfile

  Own Id: OTP-19780
  Related Id(s): GH-10212, GH-10217, PR-10221

• Assert that hello extensions are unique and send an illegal parameter alert if they are not.

  Own Id: OTP-19791
  Related Id(s): PR-10245

• Avoid sending an internal message to the user process in conjunction with handling a key update.

  Own Id: OTP-19806
  Related Id(s): PR-10274

Full runtime dependencies of ssl-11.4.1

crypto-5.7, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.18.3, runtime_tools-1.15.1, stdlib-7.0

xmerl-2.1.7

The xmerl-2.1.7 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• The XSD validation failed due to not handling the optional text blocks correctly in an XSD complex type with attribute mixed=true.

  Own Id: OTP-19792
  Related Id(s): PR-10249, ERERL-1261

Full runtime dependencies of xmerl-2.1.7

erts-6.0, kernel-8.4, stdlib-2.5

Thanks to

Daniel Gorin, Dmytro Lytovchenko, Jean-Philippe Jodoin

v28.1: OTP 28.1

Compare Source

Patch Package:           OTP 28.1
Git Tag:                 OTP-28.1
Date:                    2025-09-17
Trouble Report Id:       OTP-16607, OTP-19552, OTP-19619, OTP-19642,
                         OTP-19646, OTP-19647, OTP-19648, OTP-19649,
                         OTP-19651, OTP-19655, OTP-19657, OTP-19659,
                         OTP-19660, OTP-19666, OTP-19667, OTP-19669,
                         OTP-19671, OTP-19677, OTP-19681, OTP-19685,
                         OTP-19686, OTP-19688, OTP-19689, OTP-19693,
                         OTP-19694, OTP-19696, OTP-19698, OTP-19704,
                         OTP-19706, OTP-19714, OTP-19719, OTP-19721,
                         OTP-19722, OTP-19723, OTP-19724, OTP-19725,
                         OTP-19726, OTP-19727, OTP-19728, OTP-19730,
                         OTP-19731, OTP-19733, OTP-19735, OTP-19736,
                         OTP-19737, OTP-19739, OTP-19745, OTP-19749,
                         OTP-19752, OTP-19754, OTP-19756, OTP-19757,
                         OTP-19758, OTP-19759, OTP-19760
Seq num:                 ERIERL-1209, ERIERL-1231, GH-10002, GH-10020,
                         GH-10057, GH-10061, GH-10065, GH-10072,
                         GH-10077, GH-10079, GH-10097, GH-10102,
                         GH-5697, GH-5756, GH-9631, GH-9638, GH-9771,
                         GH-9816, GH-9875, GH-9901, GH-9903, GH-9972,
                         GH-9987, OTP-16608, PR-10004, PR-10009,
                         PR-10011, PR-10014, PR-10019, PR-10034,
                         PR-10046, PR-10051, PR-10066, PR-10076,
                         PR-10084, PR-10085, PR-10087, PR-10090,
                         PR-10091, PR-10093, PR-10094, PR-10104,
                         PR-10106, PR-10108, PR-10112, PR-10113,
                         PR-10120, PR-10121, PR-10140, PR-10142,
                         PR-10146, PR-10147, PR-10153, PR-9589,
                         PR-9721, PR-9796, PR-9815, PR-9832, PR-9843,
                         PR-9853, PR-9862, PR-9869, PR-9876, PR-9879,
                         PR-9896, PR-9897, PR-9898, PR-9900, PR-9906,
                         PR-9909, PR-9912, PR-9927, PR-9949, PR-9954,
                         PR-9969, PR-9976, PR-9982, PR-9990
System:                  OTP
Release:                 28
Application:             asn1-5.4.2, common_test-1.29, compiler-9.0.2,
                         crypto-5.7, debugger-6.0.3, edoc-1.4.1,
                         erl_interface-5.6.1, erts-16.1, inets-9.4.2,
                         kernel-10.4, megaco-4.8.1, mnesia-4.24.1,
                         observer-2.18.1, os_mon-2.11.1,
                         public_key-1.18.3, runtime_tools-2.3,
                         snmp-5.19.1, ssl-11.4, stdlib-7.1,
                         syntax_tools-4.0.1, tools-4.1.3, wx-2.5.2,
                         xmerl-2.1.6
Predecessor:             OTP 28.0.4

Check out the git tag OTP-28.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

HIGHLIGHTS

• Added support for quantum crypto signature algorithm ML-DSA (ssl and public_key) and key exchange algorithm ML-KEM (ssl).

  Own Id: OTP-19552
  Application(s): public_key, ssl
  Related Id(s): PR-10004

• A User's Guide to dbg is now available in the documentation.

  Own Id: OTP-19655
  Application(s): runtime_tools
  Related Id(s): PR-9853

• Support for ML-DSA and ML-KEM provided by OpenSSL 3.5.

  Algorithms mldsa44, mldsa65 and mldsa87 can be passed to crypto:sign/4 and crypto:verify/5.

  New functions crypto:encapsulate_key/2 and crypto:decapsulate_key/3 can be used with mlkem512, mlkem768 and mlkem1024 to safely generate and communicate an encapsulated shared secret.

  Own Id: OTP-19657
  Application(s): crypto
  Related Id(s): PR-9900

• TLS server now fails early for supplied PEM file issues, such as the file not being found.

  Own Id: OTP-19706
  Application(s): ssl
  Related Id(s): GH-9631, PR-10046

POTENTIAL INCOMPATIBILITIES

• The internal inet_dns_tsig and inet_res modules have been fixed to TSIG verify the correct timestamp.

  In the process two undocumented error code atoms have been corrected to notauth and notzone to adhere to the DNS RFCs. Code that relied on the previous incorrect values may have to be corrected.

  Own Id: OTP-19756
  Application(s): kernel
  Related Id(s): PR-10146

OTP-28.1

Fixed Bugs and Malfunctions

• When any Erlang/OTP application has been disabled by configure, warnings from ex_doc when building the documentation are now disabled.

  Own Id: OTP-19646
  Related Id(s): GH-9875, PR-9876

• ./otp_build now respects TYPE and FLAVOR to when set.

  Own Id: OTP-19677
  Related Id(s): PR-9954

• Rendering of some tables in the documentation has been improved.

  Own Id: OTP-19752
  Related Id(s): PR-10142

Improvements and New Features

• In Efficiency Guide, the section about setelement/3 in Common Caveats has been updated.

  Own Id: OTP-19749
  Related Id(s): PR-10140

asn1-5.4.2

The asn1-5.4.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Decoding a constrained BIT STRING using JER was broken.

  Own Id: OTP-19681
  Related Id(s): PR-9949

• NIFs and linked-in drivers are now loadable when running in an Erlang source tree on Windows.

  Own Id: OTP-19686
  Related Id(s): PR-9969

Full runtime dependencies of asn1-5.4.2

erts-14.0, kernel-9.0, stdlib-5.0

common_test-1.29

The common_test-1.29 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Improved printing of maps. Map keys are now printed in the same order as maps:iterator(Map, ordered) would sort them.

  Own Id: OTP-19642
  Related Id(s): ERIERL-1231, PR-9862

• ct:print will now suppress printing of timestamp and heading when the heading option is set to the empty string.

  Own Id: OTP-19714
  Related Id(s): PR-10051

Full runtime dependencies of common_test-1.29

compiler-6.0, crypto-4.5, debugger-4.1, erts-7.0, ftp-1.0, inets-6.0, kernel-8.4, observer-2.1, runtime_tools-1.8.16, sasl-2.5, snmp-5.1.2, ssh-4.0, stdlib-4.0, syntax_tools-1.7, tools-3.2, xmerl-1.3.8

compiler-9.0.2

The compiler-9.0.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a compiler crash caused by patch order in destructive update.

  Own Id: OTP-19660
  Related Id(s): GH-9903, PR-9909

• Fixed a compiler crash in beam_ssa_pre_codegen caused by wrong handling of multiple phi patches in the destructive update pass.

  Own Id: OTP-19689
  Related Id(s): GH-9987, PR-9990

• Fixed a crash when a zip generator contains a map pattern.

  Own Id: OTP-19693
  Related Id(s): GH-10002, PR-10009

• In rare circumstances, the compiler could crash when compiling code using bit syntax construction.

  Own Id: OTP-19722
  Related Id(s): GH-10077, PR-10090

• A few minor bugs that could affect the beam_debug_info option were fixed.

  Own Id: OTP-19758
  Related Id(s): PR-10153

Full runtime dependencies of compiler-9.0.2

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

crypto-5.7

The crypto-5.7 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• NIFs and linked-in drivers are now loadable when running in an Erlang source tree on Windows.

  Own Id: OTP-19686
  Related Id(s): PR-9969

• Fixed bug seen to cause beam crash when doing init:restart() with crypto statically linked to OpenSSL (--disable-dynamic-ssl-lib). Bug exists since OTP 28.0.

  Own Id: OTP-19721
  Related Id(s): GH-10061, PR-10076

• Fixed crypto:strong_rand_bytes failing after init:restart on MacOS with statically linked OpenSSL.

  Own Id: OTP-19725
  Related Id(s): GH-10079, PR-10085

• Fixed crypto:hash(shake128 | shake256) for OpenSSL 3.4 and newer.

  Own Id: OTP-19733
  Related Id(s): GH-9901, PR-9982

• Rendering of some tables in the documentation has been improved.

  Own Id: OTP-19752
  Related Id(s): PR-10142

Improvements and New Features

• Support for ML-DSA and ML-KEM provided by OpenSSL 3.5.

  Algorithms mldsa44, mldsa65 and mldsa87 can be passed to crypto:sign/4 and crypto:verify/5.

  New functions crypto:encapsulate_key/2 and crypto:decapsulate_key/3 can be used with mlkem512, mlkem768 and mlkem1024 to safely generate and communicate an encapsulated shared secret.

  Own Id: OTP-19657
  Related Id(s): PR-9900

  *** HIGHLIGHT ***

• Added support for SHA2 512/224 and SHA2 512/256 truncated hashes.

  Own Id: OTP-19666
  Related Id(s): PR-9721

Full runtime dependencies of crypto-5.7

erts-9.0, kernel-6.0, stdlib-3.9

debugger-6.0.3

The debugger-6.0.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed unbound error in interpreted modules

  Own Id: OTP-19719
  Related Id(s): GH-10057, PR-10066

Full runtime dependencies of debugger-6.0.3

compiler-8.0, erts-15.0, kernel-10.0, stdlib-7.0, wx-2.0

edoc-1.4.1

The edoc-1.4.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Rendering of some tables in the documentation has been improved.

  Own Id: OTP-19752
  Related Id(s): PR-10142

Full runtime dependencies of edoc-1.4.1

erts-11.0, inets-5.10, kernel-7.0, stdlib-4.0, syntax_tools-2.0, xmerl-1.3.7

erl_interface-5.6.1

The erl_interface-5.6.1 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Fixed C compiler warnings generated by codechecker.

  Own Id: OTP-19671
  Related Id(s): PR-9832

Known Bugs and Problems

• The ei API for decoding/encoding terms is not fully 64-bit compatible since terms that have a representation on the external term format larger than 2 GB cannot be handled.

  Own Id: OTP-16607
  Related Id(s): OTP-16608

erts-16.1

The erts-16.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Made sure to not set any terminal settings when they have not been changed. Doing so can trigger a SIGTTOU signal which would terminate Erlang when it should not.

  Own Id: OTP-19685
  Related Id(s): PR-9906

• As an optimization, when the unicode:characters_to_binary/3 was used to convert from latin1 to utf8 or vice versa, it would return the original binary unchanged if it only contained 7-bit ASCII characters. That otpimization was broken in Erlang/OTP 27, and has now been mended.

  Own Id: OTP-19728
  Related Id(s): GH-10072, PR-10093

Improvements and New Features

• Fixed C compiler warnings generated by codechecker.

  Own Id: OTP-19671
  Related Id(s): PR-9832

• Added support in module re for export and import of compiled regular expression in order to safely move them between Erlang node instances.

  Own Id: OTP-19730
  Related Id(s): PR-9976

• Added new erl command line flag +Mumadtn <bool> causing MADV_DONTNEED to be passed to madvise() instead of MADV_FREE.

  Own Id: OTP-19739
  Related Id(s): PR-10113

Full runtime dependencies of erts-16.1

kernel-9.0, sasl-3.3, stdlib-4.1

inets-9.4.2

The inets-9.4.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a RFC 2616 violation, where a http request, made by httpc, without providing any options, would be sent with an empty TE header, without also having a TE value in the connection header. Now the default request doesn't send a TE header at all.

  Own Id: OTP-19760
  Related Id(s): GH-10065, PR-10120

Full runtime dependencies of inets-9.4.2

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

kernel-10.4

The kernel-10.4 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• A remote shell can now exit by closing the input stream, without terminating the remote node.

  Own Id: OTP-19667
  Related Id(s): PR-9912

• The internal inet_dns_tsig and inet_res modules have been fixed to TSIG verify the correct timestamp.

  In the process two undocumented error code atoms have been corrected to notauth and notzone to adhere to the DNS RFCs. Code that relied on the previous incorrect values may have to be corrected.

  Own Id: OTP-19756
  Related Id(s): PR-10146

  *** POTENTIAL INCOMPATIBILITY ***

Improvements and New Features

• The rudimentary DNS resolver inet_res has aqcuired 3 new functions inet_res:gethostbyname/4, inet_res;getbyname/4 and inet_res:gethostbyaddr/3, that all take an option list argument.

  This option list can be used to override the Kernel application's resolver options when calling the inet_res function directly.

  Own Id: OTP-19737
  Related Id(s): ERIERL-1209, PR-10112

Full runtime dependencies of kernel-10.4

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0

megaco-4.8.1

The megaco-4.8.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Documentation improvements.

  Own Id: OTP-19669
  Related Id(s): PR-9927

• Rendering of some tables in the documentation has been improved.

  Own Id: OTP-19752
  Related Id(s): PR-10142

Full runtime dependencies of megaco-4.8.1

asn1-3.0, debugger-4.0, erts-12.0, et-1.5, kernel-8.0, runtime_tools-1.8.14, stdlib-2.5

mnesia-4.24.1

The mnesia-4.24.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Mnesia no longer crashes when the node name is used as a table name.

  Own Id: OTP-19745
  Related Id(s): PR-10147

Full runtime dependencies of mnesia-4.24.1

erts-9.0, kernel-5.3, stdlib-5.0

observer-2.18.1

The observer-2.18.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• etop will now fully stop before returning from etop:stop/0.

  Own Id: OTP-19754
  Related Id(s): PR-9815

Full runtime dependencies of observer-2.18.1

erts-15.0, et-1.5, kernel-10.0, runtime_tools-2.1, stdlib-5.0, wx-2.3

os_mon-2.11.1

The os_mon-2.11.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• NIFs and linked-in drivers are now loadable when running in an Erlang source tree on Windows.

  Own Id: OTP-19686
  Related Id(s): PR-9969

Full runtime dependencies of os_mon-2.11.1

erts-14.0, kernel-9.0, sasl-4.2.1, stdlib-5.0

public_key-1.18.3

Note! The public_key-1.18.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.7 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

• NIFs and linked-in drivers are now loadable when running in an Erlang source tree on Windows.

  Own Id: OTP-19686
  Related Id(s): PR-9969

• Added missing reference to SignedAttributes so that it now works with the der_encode and der_decode functions.

  Own Id: OTP-19727
  Related Id(s): PR-10091

Improvements and New Features

• Added support for quantum crypto signature algorithm ML-DSA (ssl and public_key) and key exchange algorithm ML-KEM (ssl).

  Own Id: OTP-19552
  Related Id(s): PR-10004

  *** HIGHLIGHT ***

Full runtime dependencies of public_key-1.18.3

asn1-5.0, crypto-5.7, erts-13.0, kernel-8.0, stdlib-4.0

runtime_tools-2.3

The runtime_tools-2.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• NIFs and linked-in drivers are now loadable when running in an Erlang source tree on Windows.

  Own Id: OTP-19686
  Related Id(s): PR-9969

Improvements and New Features

• The default tracer is now aware that it is started by a remote shell (-remsh), in which case the traces will be sent to the remote group_leader to make the traces visible in the remote shell.

  Own Id: OTP-19648
  Related Id(s): PR-9589

• A User's Guide to dbg is now available in the documentation.

  Own Id: OTP-19655
  Related Id(s): PR-9853

  *** HIGHLIGHT ***

Full runtime dependencies of runtime_tools-2.3

erts-16.0, kernel-10.0, mnesia-4.12, stdlib-6.0

snmp-5.19.1

The snmp-5.19.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Using ASN.1 generated code for decode/encode of basic types, starting with Counter64.

  Own Id: OTP-19619
  Related Id(s): GH-5756, PR-9869

Improvements and New Features

• Reworked the timer handling of the (SNMP) manager start notification feature.

  Own Id: OTP-19696
  Related Id(s): PR-10014

• Added missing specs to already documented functions.

  Own Id: OTP-19723
  Related Id(s): PR-10087

Full runtime dependencies of snmp-5.19.1

asn1-5.4, crypto-4.6, erts-12.0, kernel-8.0, mnesia-4.12, runtime_tools-1.8.14, stdlib-5.0

ssl-11.4

Note! The ssl-11.4 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependencies have to be satisfied:
   -- crypto-5.7 (first satisfied in OTP 28.1)
   -- public_key-1.18.3 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

• The sender side is now closed if an error occurs on the socket.

  Own Id: OTP-19694
  Related Id(s): PR-10011

• The PEM cache process no longer crashes when a configured file has been deleted before it could be read.

  Own Id: OTP-19698
  Related Id(s): GH-9638, PR-10019

• Corrected handling of ssl:sockname/1 for DTLS, so that it now will return the correct result in all situations.

  Own Id: OTP-19736
  Related Id(s): GH-10097, PR-10108

• Rendering of some tables in the documentation has been improved.

  Own Id: OTP-19752
  Related Id(s): PR-10142

Improvements and New Features

• Added support for quantum crypto signature algorithm ML-DSA (ssl and public_key) and key exchange algorithm ML-KEM (ssl).

  Own Id: OTP-19552
  Related Id(s): PR-10004

  *** HIGHLIGHT ***

• Now allowingsend/2 to buffer data when using sockets backend. Use 'high_watermark' and 'low_watermark' to steer buffering as gen_tcp does.

  Own Id: OTP-19651
  Related Id(s): PR-9879

• Now allowing the PSK identity to be the empty string in TLS-1.2 for compatibility reasons. It is allowed according to the spec, although providing a proper value makes more sense.

  Own Id: OTP-19688
  Related Id(s): PR-9843

• TLS server now fails early for supplied PEM file issues, such as the file not being found.

  Own Id: OTP-19706
  Related Id(s): GH-9631, PR-10046

  *** HIGHLIGHT ***

Full runtime dependencies of ssl-11.4

crypto-5.7, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.18.3, runtime_tools-1.15.1, stdlib-7.0

stdlib-7.1

Note! The stdlib-7.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- erts-16.0.3 (first satisfied in OTP 28.0.3)

Fixed Bugs and Malfunctions

• The save_module/1 command in the shell now saves both the locally defined records and the imported records using the rr/1 command.

  Own Id: OTP-19647
  Related Id(s): GH-9816, PR-9897

• It's now possible to write lists:map(fun is_atom/1, []) or lists:map(fun my_func/1, []) in the shell, instead of lists:map(fun erlang:is_atom/1, []) or lists:map(fun shell_default:my_func/1, []).

  Own Id: OTP-19649
  Related Id(s): GH-9771, PR-9898

• The shell no longer crashes when requesting to auto-complete map keys containing non-atoms.

  Own Id: OTP-19659
  Related Id(s): PR-9896

• A remote shell can now exit by closing the input stream, without terminating the remote node.

  Own Id: OTP-19667
  Related Id(s): PR-9912

• Fixed guard check for is_record/2 in the linter.

  Own Id: OTP-19704
  Related Id(s): GH-10020, PR-10034

Improvements and New Features

• Added a flag option shell_hints and function shell:hints/1. You can now disable the warning in the shell when a command is taking longer than 5 seconds.

  Own Id: OTP-19759
  Related Id(s): PR-10121

Full runtime dependencies of stdlib-7.1

compiler-5.0, crypto-4.5, erts-16.0.3, kernel-10.0, sasl-3.0, syntax_tools-3.2.1

syntax_tools-4.0.1

The syntax_tools-4.0.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed zip generator crash in annotate_bindings/1

  Own Id: OTP-19731
  Related Id(s): GH-10102, PR-10104

Full runtime dependencies of syntax_tools-4.0.1

compiler-9.0, erts-16.0, kernel-10.3, stdlib-7.0

tools-4.1.3

The tools-4.1.3 application can be applied independently of other applications on a full OTP 28 installation.

Improvements and New Features

• Fixed some deprecations for newer emacs versions.

  Own Id: OTP-19726
  Related Id(s): PR-10106

Full runtime dependencies of tools-4.1.3

compiler-8.5, erts-15.0, erts-15.0, kernel-10.0, runtime_tools-2.1, stdlib-6.0

wx-2.5.2

The wx-2.5.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• NIFs and linked-in drivers are now loadable when running in an Erlang source tree on Windows.

  Own Id: OTP-19686
  Related Id(s): PR-9969

• Now avoiding that wx crashes the VM when running on OTP28+ due to one of the new compiler hardening options.

  Own Id: OTP-19724
  Related Id(s): GH-9972, PR-10084

Improvements and New Features

• wx was missing licenses that come from OpenGL documentation and wxWidgets documentation.

  Own Id: OTP-19735
  Related Id(s): PR-10094

Full runtime dependencies of wx-2.5.2

erts-12.0, kernel-8.0, stdlib-5.0

xmerl-2.1.6

The xmerl-2.1.6 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Corrected the bug that comments couldn't be exported.

  #xmlComment elements is now exported when calling export/3 or export_simple/3 and similar functions. Top level comments will only be exported if one creates and export elements as a document.

  Own Id: OTP-19757
  Related Id(s): GH-5697, PR-9796

Full runtime dependencies of xmerl-2.1.6

erts-6.0, kernel-8.4, stdlib-2.5

Thanks to

Alberto Sartori, Alexander Clouter, ausimian, Danil Zagoskin, dependabot[bot], Dmytro Lytovchenko, Dunya Kokoschka, Håkan Stenholm, Hans Svensson, Jan Uhlig, Magnus Henoch, Mend Renovate, Paulo Tomé, Rodolfo Carvalho, Savvas Nicholas, Simon Oulevay, Tomas Abrahamsson, Tom Schuster, Yaroslav Maslennikov

v28.0.4: OTP 28.0.4

Compare Source

Patch Package:           OTP 28.0.4
Git Tag:                 OTP-28.0.4
Date:                    2025-09-11
Trouble Report Id:       OTP-19729
Seq num:                 CVE-2016-1000107, GH-3392, PR-6223
System:                  OTP
Release:                 28
Application:             inets-9.4.1
Predecessor:             OTP 28.0.3

Check out the git tag OTP-28.0.4, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

inets-9.4.1

The inets-9.4.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a bug where a request sent to httpd server which is using CGI script to generate a response, would pollute server's environment variable - HTTP_PROXY for that request. This bug is also known as httpoxy. More information: CVE-2016-1000107

  Own Id: OTP-19729
  Related Id(s): GH-3392, PR-6223, CVE-2016-1000107

Full runtime dependencies of inets-9.4.1

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

Thanks to

Marcel Lanz

v28.0.3: OTP 28.0.3

Compare Source

Patch Package:           OTP 28.0.3
Git Tag:                 OTP-28.0.3
Date:                    2025-09-10
Trouble Report Id:       OTP-19701, OTP-19741, OTP-19742, OTP-19748,
                         OTP-19753, OTP-19755, OTP-19761
Seq num:                 CVE-2025-48038, CVE-2025-48039,
                         CVE-2025-48040, CVE-2025-48041,
                         CVE-2025-58050, PR-10155, PR-10156, PR-10157,
                         PR-10162, PR-19755, PR-9815
System:                  OTP
Release:                 28
Application:             diameter-2.5.1, erts-16.0.3, ssh-5.3.3,
                         stdlib-7.0.3
Predecessor:             OTP 28.0.2

Check out the git tag OTP-28.0.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

POTENTIAL INCOMPATIBILITIES

• Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

  Own Id: OTP-19701
  Application(s): ssh
  Related Id(s): PR-10157, CVE-2025-48041

• Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

  Own Id: OTP-19741
  Application(s): ssh
  Related Id(s): PR-10162, CVE-2025-48040

• A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

  Own Id: OTP-19742
  Application(s): ssh
  Related Id(s): PR-10155, CVE-2025-48039

• Reject file handles exceeding size specified in RFCs (256 bytes).

  Own Id: OTP-19748
  Application(s): ssh
  Related Id(s): PR-10156, CVE-2025-48038

diameter-2.5.1

The diameter-2.5.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• With this change message_cb callback will be called with updated state for processing 'ack' after 'send'.

  Own Id: OTP-19753
  Related Id(s): PR-9815

Full runtime dependencies of diameter-2.5.1

erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0

erts-16.0.3

The erts-16.0.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on regular expressions with (*scs:) and (*ACCEPT) syntax combined.

  Own Id: OTP-19755
  Related Id(s): CVE-2025-58050

• Fixed bug that could cause crash in beam started with erl -emu_type debug +JPperf true with any type of tracing return from function.

  Own Id: OTP-19761
  Related Id(s): PR-19755

Full runtime dependencies of erts-16.0.3

kernel-9.0, sasl-3.3, stdlib-4.1

ssh-5.3.3

The ssh-5.3.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Option max_handles can be configured for sshd running SFTP. The positive integer value limits amount of file handles opened for a connection (by default 4096 is used).

  Own Id: OTP-19701
  Related Id(s): PR-10157, CVE-2025-48041

  *** POTENTIAL INCOMPATIBILITY ***

• Avoid decoding KEX messages providing too many algorithms. This change does not introduce new limitation but assures it is enforced earlier in processing chain. Adjustments in error logging during handshake.

  Own Id: OTP-19741
  Related Id(s): PR-10162, CVE-2025-48040

  *** POTENTIAL INCOMPATIBILITY ***

• A new 'max_path' option is now available in the sshd configuration, allowing administrators to set the maximum allowable path length. By default, this value is set to 4096 characters.

  Own Id: OTP-19742
  Related Id(s): PR-10155, CVE-2025-48039

  *** POTENTIAL INCOMPATIBILITY ***

• Reject file handles exceeding size specified in RFCs (256 bytes).

  Own Id: OTP-19748
  Related Id(s): PR-10156, CVE-2025-48038

  *** POTENTIAL INCOMPATIBILITY ***

Full runtime dependencies of ssh-5.3.3

crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

stdlib-7.0.3

Note! The stdlib-7.0.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- erts-16.0.3 (first satisfied in OTP 28.0.3)

Fixed Bugs and Malfunctions

• Update PCRE2 from 10.45 to 10.46. Fixes potential buffer read overflow on regular expressions with (*scs:) and (*ACCEPT) syntax combined.

  Own Id: OTP-19755
  Related Id(s): CVE-2025-58050

Full runtime dependencies of stdlib-7.0.3

compiler-5.0, crypto-4.5, erts-16.0.3, kernel-10.0, sasl-3.0, syntax_tools-3.2.1

Thanks to

Alberto Sartori

v28.0.2: OTP 28.0.2

Compare Source

Patch Package:           OTP 28.0.2
Git Tag:                 OTP-28.0.2
Date:                    2025-07-17
Trouble Report Id:       OTP-19661, OTP-19670, OTP-19673, OTP-19674,
                         OTP-19678, OTP-19680, OTP-19682, OTP-19683,
                         OTP-19684, OTP-19687, OTP-19690, OTP-19691,
                         OTP-19697, OTP-19699, OTP-19700, OTP-19702,
                         OTP-19703, OTP-19707, OTP-19710, OTP-19711
Seq num:                 ERIERL-1240, ERIERL-1241, ERIERL-1242,
                         GH-10001, GH-10007, GH-10028, GH-10047,
                         GH-9632, GH-9655, GH-9858, GH-9884, GH-9992,
                         PR-10003, PR-10008, PR-10016, PR-10023,
                         PR-10024, PR-10029, PR-10031, PR-10035,
                         PR-10036, PR-10039, PR-10048, PR-9887,
                         PR-9930, PR-9952, PR-9953, PR-9955, PR-9994,
                         PR-9996
System:                  OTP
Release:                 28
Application:             compiler-9.0.1, debugger-6.0.2, erts-16.0.2,
                         kernel-10.3.2, public_key-1.18.2, ssh-5.3.2,
                         ssl-11.3.2, stdlib-7.0.2, wx-2.5.1
Predecessor:             OTP 28.0.1

Check out the git tag OTP-28.0.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

OTP-28.0.2

Fixed Bugs and Malfunctions

• Fix otp_patch_apply to work with Erlang/OTP 28 and later.

  Own Id: OTP-19682
  Related Id(s): PR-9953

compiler-9.0.1

The compiler-9.0.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed a bug that could cause empty bitstring matches to always succeed, even when they should not.

  Own Id: OTP-19711
  Related Id(s): GH-10047, PR-10048

Full runtime dependencies of compiler-9.0.1

crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0

debugger-6.0.2

The debugger-6.0.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fixed debugger priv dir, which was removed and caused crashes when the icons could not be found.

  Own Id: OTP-19687
  Related Id(s): GH-9858, PR-9994

Full runtime dependencies of debugger-6.0.2

compiler-8.0, erts-15.0, kernel-10.0, stdlib-7.0, wx-2.0

erts-16.0.2

The erts-16.0.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• prim_net nif used incorrect encoding for family resulting in non-functional address selection.

  Own Id: OTP-19674

• Fix windows uninstall command.

  Own Id: OTP-19683
  Related Id(s): GH-9884, GH-9992, PR-9887

• With this change erlang will start if it receives short (ms-dos compatible) path to executable.

  Own Id: OTP-19690
  Related Id(s): PR-9996

Improvements and New Features

• The maximum amount of connections for epmd on Windows platforms has been increased from 64 to 1024.

  Own Id: OTP-19710
  Related Id(s): PR-10039

Full runtime dependencies of erts-16.0.2

kernel-9.0, sasl-3.3, stdlib-4.1

kernel-10.3.2

The kernel-10.3.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• socket:sendv/3 with 'nowait' sometimes return 'completion' without 'CompletionInfo' (Windows only).

  Own Id: OTP-19661

• prim_net nif used incorrect encoding for family resulting in non-functional address selection.

  Own Id: OTP-19674

• socket:accept can return unexpected 'select_sent'.

  Own Id: OTP-19684
  Related Id(s): ERIERL-1242

• net_kernel could be blocked for a very long time when selecting distribution module for a connection if the DNS service was slow. This prevented any new connections to be set up during that time.

  Own Id: OTP-19702
  Related Id(s): ERIERL-1241, PR-10029

Improvements and New Features

• Improved documentation of CompletionStatus for asynchronous (nowait) socket operations.

  Own Id: OTP-19670
  Related Id(s): PR-9930

Full runtime dependencies of kernel-10.3.2

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-6.0

public_key-1.18.2

The public_key-1.18.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Adjustments in include file to retain compatibility with supported ASN-1 standards, although not all record and macros are explicitly documented.

  Own Id: OTP-19678
  Related Id(s): GH-10001, PR-10008, PR-9955

• Handle certificates that are signed with RSASSA-PSS but the PSS params are specified in the 'SignatureAlgorithm' of the signed cert and not in the signer's 'SubjectPublicKeyInfo'.

  Own Id: OTP-19699
  Related Id(s): GH-9632, PR-10023

• Add modern ASN-1 specs to be able to retain support for ExtensionRequest from legacy PKCS-9 spec.

  Own Id: OTP-19703
  Related Id(s): GH-10028, PR-10031

Full runtime dependencies of public_key-1.18.2

asn1-5.0, crypto-5.0, erts-13.0, kernel-8.0, stdlib-4.0

ssh-5.3.2

The ssh-5.3.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fix file handle id generation.

  Own Id: OTP-19691
  Related Id(s): PR-10003

• Fixes a badmatch error, when SFTP operation cannot be processed due to channel closed in parallel.

  Own Id: OTP-19707
  Related Id(s): GH-9655, PR-10035, PR-10036

Full runtime dependencies of ssh-5.3.2

crypto-5.0, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.3.2

The ssl-11.3.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Improve error message for bad arguments to underlying connect.

  Own Id: OTP-19697
  Related Id(s): GH-10007, PR-10016

Full runtime dependencies of ssl-11.3.2

crypto-5.6, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.16.4, runtime_tools-1.15.1, stdlib-7.0

stdlib-7.0.2

The stdlib-7.0.2 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• A set of small bugs in sort stability for `lists:sort/1` and `lists:keysort/1` has been fixed. The bug happened for only some, seemingly random, element sequences. Most sorts were stable.

  Sort stability for `lists:sort/1` is only possible to observe when sorting lists with floating point and integer numbers of the same value.

  For `lists:keysort/1` the list had to start with two tuples where the keys or the whole tuples compared equal.

  Own Id: OTP-19673
  Related Id(s): ERIERL-1240

• Fixed bug in io_lib:bformat/2 which crashed if format string contained unicode characters.

  Own Id: OTP-19680
  Related Id(s): PR-9952

Full runtime dependencies of stdlib-7.0.2

compiler-5.0, crypto-4.5, erts-16.0, kernel-10.0, sasl-3.0, syntax_tools-3.2.1

wx-2.5.1

The wx-2.5.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Don't include gl.beam in pre-built source tar file, since it depends on local configure results.

  Own Id: OTP-19700
  Related Id(s): PR-10024

Full runtime dependencies of wx-2.5.1

erts-12.0, kernel-8.0, stdlib-5.0

Thanks to

Dmytro Lytovchenko

GH-10001: #​10001 GH-10007: #​10007 GH-10028: #​10028 GH-10047: #​10047 GH-9632: #​9632 GH-9655: #​9655 GH-9858: #​9858 GH-9884: #​9884 GH-9992: #​9992 PR-10003: #​10003 PR-10008: #​10008 PR-10016: #​10016 PR-10023: #​10023 PR-10024: #​10024 PR-10029: #​10029 PR-10031: #​10031 PR-10035: #​10035 PR-10036: #​10036 PR-10039: #​10039 PR-10048: #​10048 PR-9887: #​9887 PR-9930: #​9930 PR-9952: #​9952 PR-9953: #​9953 PR-9955: #​9955 PR-9994: #​9994 PR-9996: #​9996

v28.0.1: OTP 28.0.1

Compare Source

Patch Package:           OTP 28.0.1
Git Tag:                 OTP-28.0.1
Date:                    2025-06-16
Trouble Report Id:       OTP-19634, OTP-19635, OTP-19637, OTP-19638,
                         OTP-19641, OTP-19644, OTP-19645, OTP-19650,
                         OTP-19653, OTP-19658, OTP-19662, OTP-19665,
                         OTP-19675, OTP-19676
Seq num:                 CVE-2025-4748, ERIERL-1225, ERIERL-1235,
                         GH-6463, GH-9102, GH-9841, GH-9858, GH-9863,
                         GH-9872, PR-9103, PR-9691, PR-9838, PR-9846,
                         PR-9849, PR-9859, PR-9861, PR-9870, PR-9878,
                         PR-9880, PR-9892, PR-9905, PR-9926, PR-9941
System:                  OTP
Release:                 28
Application:             asn1-5.4.1, debugger-6.0.1, eldap-1.2.16,
                         erts-16.0.1, kernel-10.3.1,
                         public_key-1.18.1, ssh-5.3.1, ssl-11.3.1,
                         stdlib-7.0.1, xmerl-2.1.5
Predecessor:             OTP 28.0

Check out the git tag OTP-28.0.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

asn1-5.4.1

The asn1-5.4.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• The ASN.1 compiler could generate code that would cause Dialyzer with the unmatched_returns option to emit warnings.

  Own Id: OTP-19638 Related Id(s): [GH-9841], [PR-9846]

Full runtime dependencies of asn1-5.4.1

erts-14.0, kernel-9.0, stdlib-5.0

debugger-6.0.1

The debugger-6.0.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Restore deleted icon so that debugger does not crash on startup.

  Own Id: OTP-19641 Related Id(s): [GH-9858], [PR-9861]

Full runtime dependencies of debugger-6.0.1

compiler-8.0, erts-15.0, kernel-10.0, stdlib-7.0, wx-2.0

eldap-1.2.16

The eldap-1.2.16 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• With this change eldap's 'not' function will have specs fixed.

  Own Id: OTP-19658 Related Id(s): [PR-9859]

Full runtime dependencies of eldap-1.2.16

asn1-3.0, erts-6.0, kernel-3.0, ssl-5.3.4, stdlib-3.4

erts-16.0.1

The erts-16.0.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

• Fix Erlang to not crash when io:standard_error/0 is a terminal but io:standard_io/0 is not. This bug has existed since Erlang/OTP 28.0 and only effects Windows.

  Own Id: OTP-19650 Related Id(s): [GH-9872], [PR-9878]

• In a debug build, the BIFs for the native debugger could cause a lock order violation diagnostic from the lock checker.

  Own Id: OTP-19665 Related Id(s): [PR-9926]

• When building ERTS make sure correct pcre2.h file is included even if CFLAGS contains extra include paths.

  Own Id: OTP-19675 Related Id(s): [PR-9892]

Full runtime dependencies of erts-16.0.1

kernel-9.0, sasl-3.3, stdlib-4.1

kernel-10.3.1

The kernel-10.3.1 application can be applied independently of other applications on a full OTP 28

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[maennchen]

Not compatible with the latest stable elixir release at this time, postponing until it is.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 28.x releases. But if you manually upgrade to 28.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

[maennchen]

Waiting for hexpm/bob#211

[coveralls]

coverage: 91.159%. remained the same
when pulling 3780a03 on renovate/erlang-28.x
into 8442481 on main.