Hex v0.19 released, with security fix

Hex v0.19 released:

The v0.19 release includes an important security fix to anyone accessing Hex repositories through a mirror. A bug has been found that would allow a malicious mirror to serve modified versions of Hex packages. hex versions 0.14.0 to 0.18.2 and rebar3 versions 3.7.0 to 3.7.5 are vulnerable. Make sure to update to hex 0.19.0 and rebar3 3.8.0 .

If you are using a version manager such as asdf, keep in mind you probably have a copy of Hex installed for each Elixir version. And remember to update Hex/Rebar3 installations on your build servers as well.


As a convenience for others. You may upgrade hex and rebar locally using

$ mix local.hex
$ mix local.rebar

Note that mix local.rebar does not update the rebar version you may have in PATH. It only updates the rebar that is used to compile rebar dependencies. mix local.rebar does not update to 3.8.0 yet but rebar compilation is not affected by this vulnerability.

If you use rebar3 directly for rebar3 projects you need to update it separately.


Which is best done with rebar3 local upgrade which will install the latest version to ~/.cache/rebar3/bin and be sure to add that path to your $PATH.

I wrote a post about the issue, the background, the impact and the fix, FYI: