Skip to content

Upgrade erlang to 27.3.4.14 for multiple CVEs#17958

Draft
SumitJenaHCL wants to merge 1 commit into
microsoft:3.0-devfrom
Kanishk-Bansal:topic_erlang-3.0
Draft

Upgrade erlang to 27.3.4.14 for multiple CVEs#17958
SumitJenaHCL wants to merge 1 commit into
microsoft:3.0-devfrom
Kanishk-Bansal:topic_erlang-3.0

Conversation

@SumitJenaHCL

Copy link
Copy Markdown
Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

This PR upgrades the erlang package from 26.2.5.21 to 27.3.4.14 (OTP 27).

The previous spec carried six downstream CVE backport patches. All six are fixed upstream in 27.3.4.14, so every patch was dropped. Each fix was verified line-for-line against the actual 27.3.4.14 source tarball being packaged:

  • CVE-2026-48855 (SSH SSH_FXP_READLINK absolute-path leak) — fixed in lib/ssh/src/ssh_sftpd.erl (READLINK now chroots the link target).
  • CVE-2026-48856 (httpc forwards sensitive headers on cross-origin redirect) — fixed in lib/inets/src/http_client/httpc_response.erl (strips Authorization, Proxy-Authorization, Cookie, Referer, Origin per RFC 9110 §15.4).
  • CVE-2026-48858 (FTP PASV response IP not validated — SSRF/FTP-bounce) — fixed in lib/ftp/src/ftp_internal.erl (data IP derived from control-conn peername/1).
  • CVE-2026-48860 (SSL dist check_ip used sockname instead of peername) — fixed in lib/ssl/src/inet_tls_dist.erl.
  • CVE-2026-49759 (SCTP error/abort chunk output-buffer overflow) — fixed in erts/emulator/drivers/common/inet_drv.c (sctp_parse_error_chunk overflow guard).
  • CVE-2026-49760 (ei_s_print_term stack overflow on very large integers) — fixed in lib/erl_interface/src/misc/ei_printterm.c (xputs/vsnprintf).
Change Log
  • SPECS/erlang/erlang.spec — bump to 27.3.4.14-1, drop 6 obsolete CVE patches, %changelog
  • SPECS/erlang/erlang.signatures.json — new source hash (610f8e66…02e59c8)
  • SPECS/erlang/CVE-2026-48855.patch — removed (fixed upstream in 27.3.4.14)
  • SPECS/erlang/CVE-2026-48856.patch — removed (fixed upstream in 27.3.4.14)
  • SPECS/erlang/CVE-2026-48858.patch — removed (fixed upstream in 27.3.4.14)
  • SPECS/erlang/CVE-2026-48860.patch — removed (fixed upstream in 27.3.4.14)
  • SPECS/erlang/CVE-2026-49759.patch — removed (fixed upstream in 27.3.4.14)
  • SPECS/erlang/CVE-2026-49760.patch — removed (fixed upstream in 27.3.4.14)
  • cgmanifest.json — erlang 26.2.5.21 -> 27.3.4.14
Does this affect the toolchain?

NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology
  • Local Build.
  • Buddy Build URL -

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
There may be pipelines that require an authorized user to comment /azp run to run.

@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Jul 9, 2026
@Kanishk-Bansal

Copy link
Copy Markdown

Buddy Build

@Kanishk-Bansal

Copy link
Copy Markdown

@Kanishk-Bansal Kanishk-Bansal marked this pull request as ready for review July 9, 2026 17:19
@Kanishk-Bansal Kanishk-Bansal requested a review from a team as a code owner July 9, 2026 17:20
@SumitJenaHCL

Copy link
Copy Markdown
Author

Buddy Build

Buddy Build has passed.

@Kanishk-Bansal

Copy link
Copy Markdown

Breaking changes: OTP 26.2.5.21 → 27.3.4.14

You're upgrading across a major version (26 → 27), so you're picking up all the OTP 27.0 breaking changes plus everything in the 27.x patch line. Below is what actually breaks, sourced from the erlang/otp incompatibility docs.

⚠️ The code-search results were truncated (limited to 6 results), so this may not be exhaustive. See the full list on GitHub code search and the official OTP 27 release notes.

1. Language / syntax breaking changes

Triple-quoted strings (EEP 64) — the biggest source of real-world breakage. A sequence of 3+ double-quote characters is now parsed as a triple-quoted string instead of concatenated empty strings.

"""String Content"""
%% OTP 26: was "" "String Content" "" → "String Content"
%% OTP 27: SYNTAX ERROR (no text allowed after an opening triple-quote)

If you got the 3 or more double-quote characters compiler warning on OTP 26.1+, that code will now break. Fix by adding spaces between empty strings or removing redundant ones.

2. Removed features

Removed Detail
Vanilla driver Passing an atom/string as the first arg to open_port/2 to open a port to an external resource is removed (removed_27.md).
-code_path_choice now defaults to strict On OTP 26 relaxed meant -pa myapp/ebin also tried myapp/myapp/ebin. Now strict by default.
Archive fallbacks An app split across regular folders + archives is no longer supported by the code server.

3. Deprecations (still work in 27, warn now, removal later)

From deprecations_27.md:

  • Archives: using archives to package a single application in the code path, and all archive handling in erl_prim_loader, are deprecated. Escript archives are fine, but you must use escript:extract/2 to read files from them.
  • erl flags: -epmd_module → use kernel param epmd_module; -erl_epmd_port → use kernel param erl_epmd_node_listen_port.

4. Runtime / behavioral changes to watch

  • escript is compiled by default (not interpreted) — the compiler application must be present, or add -mode(interpret). to the script.
  • Compiler option precedence changed: -compile() attribute now overrides command-line options, which override ERL_COMPILER_OPTIONS.
  • NIFs / linked-in drivers should be rebuilt against OTP 27, as with any major bump.

5. Important note on the re module

The web results mention a new regex engine (PCRE2), but that lands in OTP 28, not 27 — confirmed by the OTP docs. So re behavior is unchanged in your 26 → 27 jump. Don't worry about it for this upgrade.


Recommended upgrade checklist

  1. Recompile all your code and fix any 3+ double-quote warnings/errors.
  2. Search your code/args for open_port with atom/string ports, -code_path_choice, -epmd_module, -erl_epmd_port, and archive-based code paths.
  3. Rebuild NIFs and linked-in drivers against OTP 27.
  4. Ensure compiler is available wherever you run escripts (or set interpret mode).

@SumitJenaHCL

SumitJenaHCL commented Jul 10, 2026

Copy link
Copy Markdown
Author

Thanks for the detailed OTP 27 breakdown, @Kanishk-Bansal. I worked through each breaking-change category against AzL — sharing the analysis and the actions it requires.

Erlang package — no spec changes needed. The OTP 27 breaking changes are consumer-facing language/runtime behaviors baked into the upstream release; none are things the erlang spec configures or should alter, and neutralizing any in-package would fork the language away from conformant OTP 27. I searched the whole SPECS* tree for each removed/deprecated feature — the packaging layer is clean:

OTP 27 change AzL impact
Triple-quoted strings (EEP 64) No bundled .erl/.escript in-repo; only surfaces inside consumer source → see Actions
Vanilla driver removed (open_port atom) 0 matches in SPECS*
-code_path_choicestrict 0 matches
-epmd_module / -erl_epmd_port deprecations 0 matches
Archives / erl_prim_loader / .ez 0 matches
escript compiled by default (needs compiler) Non-issue — AzL erlang is monolithic, ships compiler with escript/erlc
Compiler-option precedence No AzL spec sets ERL_COMPILER_OPTIONS/-compile flags
re/PCRE2 OTP 28, not 27 — no action

So every removed/deprecated-feature category is clean in AzL.

CVE patches dropped — verified, not assumed. All six backports were removed because they're fixed upstream in 27.3.4.14, confirmed line-for-line against the source tarball being packaged:

CVE Fix location in 27.3.4.14
CVE-2026-48855 lib/ssh/src/ssh_sftpd.erl — READLINK chroots the target
CVE-2026-48856 lib/inets/src/http_client/httpc_response.erl — strips sensitive headers on cross-origin redirect (RFC 9110 §15.4)
CVE-2026-48858 lib/ftp/src/ftp_internal.erl — PASV IP from control-conn peername/1
CVE-2026-48860 lib/ssl/src/inet_tls_dist.erlcheck_ip uses peername
CVE-2026-49759 erts/emulator/drivers/common/inet_drv.csctp_parse_error_chunk overflow guard
CVE-2026-49760 lib/erl_interface/src/misc/ei_printterm.cxputs/vsnprintf

Triple-quoted strings. Highest-risk change, and it ties into the dependency problem below: the only Erlang consumers we ship are elixir and rabbitmq-server, and neither of their current AzL versions supports OTP 27 — so a rebuild-in-place isn't the right mitigation; they need version upgrades (see Actions).

Actions required

This bump moves erlang to a version neither consumer supports, so a Release bump/rebuild is not sufficient — both need version upgrades, landed together with this PR so the build graph stays green:

  • elixir — 1.16.1 supports OTP 24–26 only (Elixir↔OTP matrix; OTP 27 starts at Elixir 1.17). → upgrade to ≥ 1.17.x.
  • rabbitmq-server — 3.13.7 supports OTP 26.0–26.2.x only (RabbitMQ Erlang matrix; OTP 27 starts at RabbitMQ 4.0.4). It BuildRequires both erlang and elixir. → upgrade to ≥ 4.0.4 (latest 4.x on the 27.x line).

Audited and not required:

  • thrifthave_jsx 0 ⇒ builds --without-erlang (want_erlang 0); its erlang-thrift subpackage/BuildRequires: erlang are inactive.
  • libguestfs — configured --disable-erlang.

Net: the erlang change is correct on its own, but it can't ship in isolation — it forces coordinated elixir (→1.17.x) and rabbitmq-server (→4.x) upgrades.

@Kanishk-Bansal Kanishk-Bansal marked this pull request as draft July 11, 2026 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants