Upgrade erlang to 27.3.4.14 for multiple CVEs#17958
Conversation
|
Azure Pipelines: There may be pipelines that require an authorized user to comment /azp run to run. |
|
Buddy Build has passed. |
Breaking changes: OTP 26.2.5.21 → 27.3.4.14You're upgrading across a major version (26 → 27), so you're picking up all the OTP 27.0 breaking changes plus everything in the 27.x patch line. Below is what actually breaks, sourced from the
1. Language / syntax breaking changesTriple-quoted strings (EEP 64) — the biggest source of real-world breakage. A sequence of 3+ double-quote characters is now parsed as a triple-quoted string instead of concatenated empty strings. """String Content"""
%% OTP 26: was "" "String Content" "" → "String Content"
%% OTP 27: SYNTAX ERROR (no text allowed after an opening triple-quote)If you got the 2. Removed features
3. Deprecations (still work in 27, warn now, removal later)From deprecations_27.md:
4. Runtime / behavioral changes to watch
5. Important note on the
|
|
Thanks for the detailed OTP 27 breakdown, @Kanishk-Bansal. I worked through each breaking-change category against AzL — sharing the analysis and the actions it requires. Erlang package — no spec changes needed. The OTP 27 breaking changes are consumer-facing language/runtime behaviors baked into the upstream release; none are things the
So every removed/deprecated-feature category is clean in AzL. CVE patches dropped — verified, not assumed. All six backports were removed because they're fixed upstream in 27.3.4.14, confirmed line-for-line against the source tarball being packaged:
Triple-quoted strings. Highest-risk change, and it ties into the dependency problem below: the only Erlang consumers we ship are Actions requiredThis bump moves erlang to a version neither consumer supports, so a
Audited and not required:
Net: the erlang change is correct on its own, but it can't ship in isolation — it forces coordinated |
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
This PR upgrades the
erlangpackage from 26.2.5.21 to 27.3.4.14 (OTP 27).The previous spec carried six downstream CVE backport patches. All six are fixed upstream in 27.3.4.14, so every patch was dropped. Each fix was verified line-for-line against the actual 27.3.4.14 source tarball being packaged:
SSH_FXP_READLINKabsolute-path leak) — fixed inlib/ssh/src/ssh_sftpd.erl(READLINK now chroots the link target).lib/inets/src/http_client/httpc_response.erl(stripsAuthorization,Proxy-Authorization,Cookie,Referer,Originper RFC 9110 §15.4).lib/ftp/src/ftp_internal.erl(data IP derived from control-connpeername/1).check_ipusedsocknameinstead ofpeername) — fixed inlib/ssl/src/inet_tls_dist.erl.erts/emulator/drivers/common/inet_drv.c(sctp_parse_error_chunkoverflow guard).ei_s_print_termstack overflow on very large integers) — fixed inlib/erl_interface/src/misc/ei_printterm.c(xputs/vsnprintf).Change Log
%changelog610f8e66…02e59c8)Does this affect the toolchain?
NO
Associated issues
Links to CVEs
Test Methodology