[erlang-questions] Yaws security alert - Yaws 1.93

Claes Wikstrom klacke@REDACTED
Wed Jun 20 22:58:00 CEST 2012

I just posted the following note on the Yaws list, all of you
using Yaws for production with cookie based auth need to take action.
Actually, anyone using random:uniform/1 for anything security related
need to pay attention.




New yaws release which contains a fix to pretty serious security hole.
The relevant relnote entry is:

Use crypto:rand_bytes() instead of the cryptographically weak random module. 
Swedish security consultant and cryptographer Kalle Zetterlund discovered a way 
to - given a sequence of cookies produced by yaws_session_server - predict the 
next session id. Thus providing a gaping security hole into yaws servers that 
use the yaws_session_server to maintain cookie based HTTP sessions (klacke/kallez)

It's been almost 6 months since the last release, so this one also contains
a long series of good fixes and improvements from a lot of good people.

Thanks everyone !!

Code, release, relnotes, docs etc at http://yaws.hyber.org/

Yaws team -


More information about the erlang-questions mailing list