[erlang-questions] Yaws security alert - Yaws 1.93

Claes Wikstrom <>
Wed Jun 20 22:58:00 CEST 2012


I just posted the following note on the Yaws list, all of you
using Yaws for production with cookie based auth need to take action.
Actually, anyone using random:uniform/1 for anything security related
need to pay attention.

/klacke

---------------


Folks,

New yaws release which contains a fix to pretty serious security hole.
The relevant relnote entry is:

Use crypto:rand_bytes() instead of the cryptographically weak random module. 
Swedish security consultant and cryptographer Kalle Zetterlund discovered a way 
to - given a sequence of cookies produced by yaws_session_server - predict the 
next session id. Thus providing a gaping security hole into yaws servers that 
use the yaws_session_server to maintain cookie based HTTP sessions (klacke/kallez)


It's been almost 6 months since the last release, so this one also contains
a long series of good fixes and improvements from a lot of good people.

Thanks everyone !!


Code, release, relnotes, docs etc at http://yaws.hyber.org/

Yaws team -

/klacke/Steve/Christopher



More information about the erlang-questions mailing list