Important security fix in Erlang/OTP 23.2.2

Erlang/OTP 23.2.2 is out, fixing a critical TLS certificate verification issue in 23.2 an 23.2.1 allowing MitM attacks and forged client certificates. I wrote a post to help you understand if your application or dev environment is at risk.


Thanks a lot for the heads up! I usually immediately upgrade Erlang the minute I see that asdf shows the new version as installable – for exactly these reasons.


This version does not seem available for Ubuntu via Erlang Solutions:

Do you know what’s the way to upgrade?

Use asdf?

Thats a fine for development, though not for production environments.

There was no context in the question. :102:

Otherwise yep, agreed.

Why is asdf not an option for production?

Well I’d view it as a waste since I only need only one version on prod.

Plus shell shims take some CPU time which, while insignificant during development (or in general), would compound hugely on a production system running for months.

1 Like

The shims only take CPU when calling the commands though, not while the server is running though, so I don’t think you can even measure that overhead, even after months?

Fair enough alright. :smiley:

Well, there is a flip-side to an aggressive upgrade strategy: along with all the latest fixes you also get all the latest new bugs. In this case, anyone still on 23.0 or 23.1 would not have been affected in the first place…

I would use kerl/asdf or binaries built by Bob the Builder (by the Hex team; Erlang binaries conveniently listed here) on CI/CD servers, and then ship a release with bundled ERTS to production.