Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package erlang for openSUSE:Factory checked in at 2026-04-20 16:12:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/erlang (Old) and /work/SRC/openSUSE:Factory/.erlang.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "erlang" Mon Apr 20 16:12:04 2026 rev:144 rq:1348094 version:28.4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/erlang/erlang.changes 2025-11-06 18:14:21.570348906 +0100 +++ /work/SRC/openSUSE:Factory/.erlang.new.11940/erlang.changes 2026-04-20 16:12:15.231516009 +0200 @@ -1,0 +2,461 @@ +Sun Apr 05 14:46:59 UTC 2026 - Matwey Kornilov <[email protected]> + +- Changes for 28.4.1: + * inets: The httpd server now rejects HTTP requests containing + multiple Content-Length headers with different values, + returning a 400 Bad Request response. This prevents potential + HTTP request smuggling attacks. Thanks Luigino Camastra at + Aisle Research for responsibly disclosing this vulnerability + * ssl: TLS-1.3 certificate request now preserves the order of + signature algorithms in certificate request extension to be in + the servers preferred order, which might affect the choice made + by some TLS clients. + * ssl: Document that setting transport protocol specific socket + options is not generally expected to work for TLS and if it + happens to work it comes with consequences that should be + understood an accepted by the user. Also retain some backwards + compatibility with such an option that happened to work to buy + time for people to come up with better solutions. + * crypto: Fix memory leak in crypo:engine_load if called with + incorrect commands. + * kernel: A vulnerability has been resolved in the (undocumented, + unsupported and unused in OTP) inet_dns_tsig module that leads + to a validation bypass. + * ssh: Fixed path traversal vulnerability in SFTP server's root + option allowing authenticated users to access sibling + directories with matching name prefixes. The root option used + string prefix matching instead of path component validation. + With {root, "/home/user1"}, attackers could access + /home/user10/ or /home/user123/. Thanks to Luigino Camastra, + Aisle Research. + * ssh: Fixed excessive memory usage vulnerability in SSH + compression allowing attackers to consume system resources + through decompression bombs. The 'zlib' and '[email protected]' + algorithms lacked decompression size limits, allowing 256 KB + packets to expand to 255 MB (1029:1 ratio). This could lead to + crashes on systems with limited memory. + +------------------------------------------------------------------- +Mon Mar 09 08:18:16 UTC 2026 - Matwey Kornilov <[email protected]> + +- Changes for 28.4: + * syntax_tools: Corrected the af_zip_generator() type in the + parser and syntax_tools. + * syntax_tools: Release applications, tests, and documentation + are now placed in their respective directories. Source SBOM + with more packages. + * observer: Release applications, tests, and documentation are + now placed in their respective directories. Source SBOM with + more packages. + * ssl: TLS servers that have early_data disabled will no longer + include the early_data extension in its session tickets. + * ssl: ssl:connection_information/2 will now return correct + information for TLS-1.2 session resumption. + * ssl: When performing renegotiation, in TLS-1.2 or earlier, + `max_frag_length` will no longer be renegotiated. Instead, the + connection will adhere to its originally negotiated value, and + if a value was not negotiated it will not be negotiated. + * ssl: The NSS Keylogging refactoring mixed up of Read and Write + connection states, could cause wrong NSS keylog labels, or + {error, closed} returned without keylog. + * ssl: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * runtime_tools: Release applications, tests, and documentation + are now placed in their respective directories. Source SBOM + with more packages. + * mnesia: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * reltool: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * public_key: Added missing mapping for der_encode/decode to + handle 'OCSPRequest'. + * public_key: public_key:pkix_crl_verify/2 now handles + certificates with EdDSA keys correctly instead of causing a + runtime error. + * compiler: Fixed a compiler alias analysis bug that could + generate unsafe code for repeated binary segments. + * snmp: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * erl_interface: Updated openssl from 3.6.0 to 3.6.1. + * erl_interface: The ei API for decoding/encoding terms is not + fully 64-bit compatible since terms that have a representation + on the external term format larger than 2 GB cannot be handled. + * eunit: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * tools: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * odbc: Corrected specs to eliminate Dialyzer warnings for + applications. + * parsetools: The documentation for the token/3 and tokens/3 + functions was corrected. The return value when there were too + few characters is {more,Cont}. + * stdlib: Fixed functions ets:init_table/2, + [ets:tab2file/2,3](%60ets:tab2file/2%60), + [ets:table/1,2](%60ets:table/1%60), [ets:i/0,1](%60ets:i/0%60), + dets:from_ets/2, and dets:to_ets/2 to resolve named table + arguments only once. This will prevent strange effects if the + named table is deleted and recreated by a concurrent process. + * stdlib: Corrected the af_zip_generator() type in the parser and + syntax_tools. + * stdlib: For a function that started with a bracket-only pattern + (such as []), the ?FUNCTION_ARITY macro would evaluate to one + less than the actual arity. + * stdlib: Added support for zstd compression in the m:file + module. + * stdlib: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * stdlib: The removal of the m:slave and m:slave modules have + been postponed to Erlang/OTP 31. + * diameter: Release applications, tests, and documentation are + now placed in their respective directories. Source SBOM with + more packages. + * megaco: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * xmerl: Fixed license headers and links in documentation. + * inets: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * inets: Added a new HttpOption {autoretry, timeout()} to + httpc:request/4,5. This option allows the client to decide how + to act upon receiving a Retry-After response header. The + default behavior changes, as now only one retry is made before + returning the error code, instead of retrying infinitely. + * inets: Httpc will not add a Content-Length header for requests, + that do not have defined semantics for request content in + [RFC9110](https://datatracker.ietf.org/doc/html/rfc9110) and do + not include content. The list includes methods: [GET, HEAD, + OPTIONS, TRACE, DELETE]. The behavior for headers_as_is option + remains unchanged. + * inets: Improved documentation and specs for do/1 callback in + httpd module. + * sasl: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * kernel: The built in DNS resolver inet_res has been fixed to do + a final request assuming that the request name is absolute, as + customary for many DNS resolver client libraries. + * kernel: Added support for zstd compression in the m:file + module. + * kernel: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * common_test: Added documentation about the behavior of + ct:comment/1 and ct:comment/2 when executed from processes + other than the process running test functions. + * common_test: Updated jquery to 4.0.0 + * common_test: The removal of the m:slave and m:slave modules + have been postponed to Erlang/OTP 31. + * asn1: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * ssh: The type specification for the CbInitArgs parameter in + ssh_client_channel:start/4 and ssh_client_channel:start_link/4 + has been relaxed from [term()] to term(). This eliminates false + Dialyzer warnings when passing non-list arguments (such as maps + or atoms) to these functions. This change is backward + compatible as term() includes [term()]. + * ssh: Added support for the PQC key exchange (kex) algorithm + mlkem768x25519-sha256, a hybrid quantum-resistant algorithm + combining ML-KEM-768 with X25519. + * crypto: Fixed crypto:crypto_one_time_aead/4, which could crash + the runtime system if invoked in parallel with the same state. + * erts: Fixed a documentation build warning when one or more + applications failed their configure step and were skipped. + * erts: The (IPv6) flowinfo control message header was not + properly supported. + * erts: Fixed NetBSD thread naming, using pthread_setname_np(); + used for debugging. + * erts: The erlang:link_option/0 type is now exported. + * erts: Added persistent_term:put_new/2 that will quickly do + nothing if a term with the given name and value already exists, + and raise a badarg exception if the term exists with a + different value. + * erts: The manifest.xml file for the Windows build now has + version numbers updated to correctly report OS versions on + Windows 10, 11, Server 2016, 2019, 2022. + * erts: Improved yielding inside re:run. Regular expressions + searching for one specific byte character could spin in + memchr() without any yielding or reduction counting. + * erts: Updated openssl from 3.6.0 to 3.6.1. + * erts: Updated ryu implementation used to convert floats to + strings. + * erts: Upgraded asmjit to v1.18 + * erts: Updated zlib to version 1.3.2. + * et: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. + * wx: Release applications, tests, and documentation are now + placed in their respective directories. Source SBOM with more + packages. +- Changes for 28.3.3: + * erl_interface: Add missing copyrights. + * erts: Fixed bug in erlang:monitor_node for rare reconnect race + with multiple node monitoring from the same process. + * erts: Add missing copyrights. + +------------------------------------------------------------------- +Mon Feb 23 07:42:28 UTC 2026 - Matwey Kornilov <[email protected]> + +- Changes for 28.3.2: + * tftp: An issue in the undocumented initial state option + [{root_dir,Dir}] to the tftp_file module has been fixed. The + request file name was just concatenated to Dir so it was + possible to traverse above Dir by using "../" file path + components. Now the option actually restricts local file + operations to the Dir directory and subdirectories. + * ssh: Fix handling of the SSH "each side may guess" key-exchange + mechanism as defined in RFC 4253, Section 7. + * ssh: Fix ssh_file:encode handling of OpenSSH V1 private keys + generated by public_key module. Also correct type + specifications for OpenSSH V1 keys in ssh_file encode and + decode operations. + * crypto: Fixed static linking of OpenSSL 3.5+ on Windows. + * erts: Fail the windows build properly when nsis is not + recognised. + * erts: Socket accept cancel could cause fatal crash (core dump) + on Windows. + * erts: Fixed bug in ets:update_counter/4 and + ets:update_element/4 accepting and inserting a default tuple + smaller than the keypos of the table. Such a tuple without a + key element would make the table internally inconsistent and + might lead to bad behavior at table access, like ERTS runtime + crash. + * erts: A missing memory barrier when unlocking process locks + could cause unexpected behavior on architectures with weak + memory ordering such as for example ARM. + * erts: A process could fail to wake from hibernation when a + non‑message signal followed by a message signal arrived + concurrently as the receiving process hibernated. If the + process had a large heap, triggering a dirty GC, the wakeup + could be lost. + * stdlib: Fixed bug in ets:update_counter/4 and + ets:update_element/4 accepting and inserting a default tuple + smaller than the keypos of the table. Such a tuple without a + key element would make the table internally inconsistent and + might lead to bad behavior at table access, like ERTS runtime + crash. +- Changes for 28.3.1: + * ssl: Correct TLS-1.3 alert handling so server will always send + the alert with the encryption keys that the client is + expecting, that is if for instance if client certification + fails the alert will be sent using application traffic + encryption keys. + * ssl: Correct TLS-1.3 session tickets documentation. + * ssl: Corrected app environment handling for session callback + that was broken In OTP-23. + * xmerl: XML regular expressions in XSD validation now handle \s + and \S correctly. + * public_key: Add missing git ignore for SLH-DSA generates. + * megaco: The megaco_tcp module had debug unintentionally + enabled. + * mnesia: Fixed bug where mnesia:del_table_copy/3 could fail when + deleting a node that had tables which was not active anywhere. +- Changes for 28.3: + * wx: Fix getting wxImage pixel values. For example, + wxImage:getRed(Image) returned the wrong value. + * wx: Fixed reading out of array bounds and potential memory + leaks. + * wx: Updated the vendor dependencies SHA to improve the accuracy + of the source SBOM with purl pointing to the exact vendor + commit that Erlang/OTP builds upon. + * common_test: Updated the vendor dependencies SHA to improve the + accuracy of the source SBOM with purl pointing to the exact + vendor commit that Erlang/OTP builds upon. + * diameter: Add new option 'indirect_inherits' to + diameter_make:codec/2 + * snmp: Fixed a bug where running snmp:config() from Elixir would + crash due to io:get_line/1 returning unexpected datatype. + * snmp: Inherit ERL_DETERMINISTIC variable for compiling + snmp_pdus_basic.beam. + * kernel: Fixed a shell crash when calling io:getopts() when + user_drv process is not responding/terminating + * kernel: logger:get_handler_config/0 will no longer crash if a + logger handler is removed concurrently with that call. + * kernel: Fixed a bug in the shell that made it incorrectly + output a newline after the output already containing a newline + but followed by an asci escape sequence. + * kernel: Receive buffer allocation has been optimized for socket + socket in that an underutilized buffers' content is copied to a + freshly allocated binary of the right size instead of being + reallocated. + * kernel: Option(s) to create gen_tcp and socket sockets with + protocol IPPROTO_MPTCP has been implemented. + * kernel: Support for the socket options TCP_KEEPCNT, + TCP_KEEPIDLE, and TCP_KEEPINTVL have been implemented for + gen_tcp, as well as TCP_USER_TIMEOUT for both gen_tcp and + socket. + * kernel: Limit size of sctp_event_subscribe on Linux + * ssh: Adjustment in ssh_file module allowing inclusion of + Erlang/OTP license in test files containing keys. ++++ 164 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/erlang/erlang.changes ++++ and /work/SRC/openSUSE:Factory/.erlang.new.11940/erlang.changes Old: ---- OTP-28.1.1.tar.gz New: ---- OTP-28.4.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ erlang.spec ++++++ --- /var/tmp/diff_new_pack.vksSnL/_old 2026-04-20 16:12:17.179596219 +0200 +++ /var/tmp/diff_new_pack.vksSnL/_new 2026-04-20 16:12:17.179596219 +0200 @@ -1,7 +1,7 @@ # # spec file for package erlang # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: erlang -Version: 28.1.1 +Version: 28.4.1 Release: 0 Summary: General-purpose programming language and runtime environment License: Apache-2.0 ++++++ OTP-28.1.1.tar.gz -> OTP-28.4.1.tar.gz ++++++ /work/SRC/openSUSE:Factory/erlang/OTP-28.1.1.tar.gz /work/SRC/openSUSE:Factory/.erlang.new.11940/OTP-28.4.1.tar.gz differ: char 12, line 1 ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.vksSnL/_old 2026-04-20 16:12:17.291600830 +0200 +++ /var/tmp/diff_new_pack.vksSnL/_new 2026-04-20 16:12:17.291600830 +0200 @@ -1,6 +1,6 @@ -mtime: 1762339518 -commit: 0581910cddbe42e468667083aa844c200572046ed29ab6f925de2975cc245042 +mtime: 1775400426 +commit: fd0270001c629b627ab1db1b49613e8a0dfbe22ba4f61142810969310a0ce6b3 url: https://src.opensuse.org/erlang/erlang.git -revision: 0581910cddbe42e468667083aa844c200572046ed29ab6f925de2975cc245042 +revision: fd0270001c629b627ab1db1b49613e8a0dfbe22ba4f61142810969310a0ce6b3 projectscmsync: https://src.opensuse.org/erlang/_ObsPrj.git ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-04-05 16:55:17.000000000 +0200 @@ -0,0 +1 @@ +.osc
