Major vulnerability fix for Rebar3

Fred Hebert mononcqc@REDACTED
Mon May 24 15:43:53 CEST 2021


Bad news. You *have* to upgrade Rebar3. We just noticed that SSL validation
had been partially disabled for *years*.

I've written up all the details at
https://ferd.ca/you-ve-got-to-upgrade-rebar3.html

but the TL:DR; is:

- Rebar3 didn't properly check TLS certs for hex packages since version
3.7.0
- Non-hex dependencies are fine
- We don't think there's anybody exploiting it in the wild and it should be
rather difficult
- I've had time to cut releases for OTP-19 to 24 (two releases) and nightly
builds are up to date
- Older versions than 3.14 on OTP prior to 19 have no clear update path
without someone having time to backport the patch further in the past.

Sorry about that.
- Fred.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20210524/b1b967ba/attachment.htm>


More information about the erlang-questions mailing list