[erlang-questions] Yaws security alert - Yaws 1.93
Park, Sungjin
jinni.park@REDACTED
Fri Jun 22 02:40:22 CEST 2012
Thanks for invaluable info.
Anyways, what would be an alternative for random:uniform/1?
Or is there any patch for the problem?
/Sungjin
On Thu, Jun 21, 2012 at 5:58 AM, Claes Wikstrom <klacke@REDACTED> wrote:
>
> I just posted the following note on the Yaws list, all of you
> using Yaws for production with cookie based auth need to take action.
> Actually, anyone using random:uniform/1 for anything security related
> need to pay attention.
>
> /klacke
>
> ---------------
>
>
> Folks,
>
> New yaws release which contains a fix to pretty serious security hole.
> The relevant relnote entry is:
>
> Use crypto:rand_bytes() instead of the cryptographically weak random
> module. Swedish security consultant and cryptographer Kalle Zetterlund
> discovered a way to - given a sequence of cookies produced by
> yaws_session_server - predict the next session id. Thus providing a gaping
> security hole into yaws servers that use the yaws_session_server to
> maintain cookie based HTTP sessions (klacke/kallez)
>
>
> It's been almost 6 months since the last release, so this one also contains
> a long series of good fixes and improvements from a lot of good people.
>
> Thanks everyone !!
>
>
> Code, release, relnotes, docs etc at http://yaws.hyber.org/
>
> Yaws team -
>
> /klacke/Steve/Christopher
> ______________________________**_________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/**listinfo/erlang-questions<http://erlang.org/mailman/listinfo/erlang-questions>
>
--
Park, Sungjin
-------------------------------------------------------------------------------------------------------------------
Peculiar travel suggestions are dancing lessons from god.
-- The Books of Bokonon
-------------------------------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20120622/6b68ac6f/attachment.htm>
More information about the erlang-questions
mailing list