Major vulnerability fix for Rebar3
Mon May 24 15:43:53 CEST 2021
Bad news. You *have* to upgrade Rebar3. We just noticed that SSL validation
had been partially disabled for *years*.
I've written up all the details at
but the TL:DR; is:
- Rebar3 didn't properly check TLS certs for hex packages since version
- Non-hex dependencies are fine
- We don't think there's anybody exploiting it in the wild and it should be
- I've had time to cut releases for OTP-19 to 24 (two releases) and nightly
builds are up to date
- Older versions than 3.14 on OTP prior to 19 have no clear update path
without someone having time to backport the patch further in the past.
Sorry about that.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the erlang-questions