Erlang/OTP 27.3.4.9 patch release addresses three CVEs and two bug fixes across inets, ssh, and ssl applications. Security fixes include: rejection of HTTP requests with multiple conflicting Content-Length headers to prevent request smuggling (CVE-2026-23941); a path traversal vulnerability in the SFTP server's root option that used string prefix matching instead of proper path component validation (CVE-2026-23942); and a decompression bomb vulnerability in SSH zlib compression allowing 256 KB packets to expand to 255 MB (CVE-2026-23943), fixed by removing zlib from default algorithms and adding size limits. SSL fixes address NSS keylogging state confusion and TLS-1.3 certificate request signature algorithm ordering.
Sort: