OTP 26.2.5.19 is a security-focused patch release for Erlang/OTP 26. It addresses two CVEs: CVE-2026-28808 fixes an authentication bypass in the inets httpd server where script_alias could map URLs to directories outside document_root, bypassing mod_auth access controls. CVE-2026-28810 fixes the built-in DNS resolver (inet_res) which previously used sequential, predictable 16-bit transaction IDs and no source port randomization, making DNS cache poisoning practical. The fix introduces strong random transaction IDs and source port randomization, with an opt-out for trusted network environments. Documentation is also updated to clarify that inet_res is intended for trusted networks only.
Sort: