voltone
Hex v0.19 released, with security fix
The v0.19 release includes an important security fix to anyone accessing Hex repositories through a mirror. A bug has been found that would allow a malicious mirror to serve modified versions of Hex packages. hex versions
0.14.0to0.18.2and rebar3 versions3.7.0to3.7.5are vulnerable. Make sure to update to hex0.19.0and rebar33.8.0.
If you are using a version manager such as asdf, keep in mind you probably have a copy of Hex installed for each Elixir version. And remember to update Hex/Rebar3 installations on your build servers as well.
Most Liked
voltone
I wrote a post about the issue, the background, the impact and the fix, FYI:
https://blog.voltone.net/post/22
easco
As a convenience for others. You may upgrade hex and rebar locally using
$ mix local.hex
$ mix local.rebar
ericmj
Note that mix local.rebar does not update the rebar version you may have in PATH. It only updates the rebar that is used to compile rebar dependencies. mix local.rebar does not update to 3.8.0 yet but rebar compilation is not affected by this vulnerability.
If you use rebar3 directly for rebar3 projects you need to update it separately.
Popular in Discussions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








