Major vulnerability fix for Rebar3

Fred Hebert mononcqc@REDACTED
Mon May 24 15:43:53 CEST 2021

Bad news. You *have* to upgrade Rebar3. We just noticed that SSL validation
had been partially disabled for *years*.

I've written up all the details at

but the TL:DR; is:

- Rebar3 didn't properly check TLS certs for hex packages since version
- Non-hex dependencies are fine
- We don't think there's anybody exploiting it in the wild and it should be
rather difficult
- I've had time to cut releases for OTP-19 to 24 (two releases) and nightly
builds are up to date
- Older versions than 3.14 on OTP prior to 19 have no clear update path
without someone having time to backport the patch further in the past.

Sorry about that.
- Fred.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the erlang-questions mailing list