[erlang-questions] Yaws security alert - Yaws 1.93
Wed Jun 20 22:58:00 CEST 2012
I just posted the following note on the Yaws list, all of you
using Yaws for production with cookie based auth need to take action.
Actually, anyone using random:uniform/1 for anything security related
need to pay attention.
New yaws release which contains a fix to pretty serious security hole.
The relevant relnote entry is:
Use crypto:rand_bytes() instead of the cryptographically weak random module.
Swedish security consultant and cryptographer Kalle Zetterlund discovered a way
to - given a sequence of cookies produced by yaws_session_server - predict the
next session id. Thus providing a gaping security hole into yaws servers that
use the yaws_session_server to maintain cookie based HTTP sessions (klacke/kallez)
It's been almost 6 months since the last release, so this one also contains
a long series of good fixes and improvements from a lot of good people.
Thanks everyone !!
Code, release, relnotes, docs etc at http://yaws.hyber.org/
Yaws team -
More information about the erlang-questions