ferd

ferd

Author of Property-Based Testing with PropEr, LYSE, & Erlang in Anger

Major vulnerability fix for Rebar3

Bad news. You have to upgrade Rebar3. We just noticed that SSL validation had been partially disabled for years.

I’ve written up all the details at You've got to upgrade Rebar3

but the TL:DR; is:

  • Rebar3 didn’t properly check TLS certs for hex packages since version 3.7.0

  • Non-hex dependencies are fine

  • We don’t think there’s anybody exploiting it in the wild and it should be rather difficult

  • I’ve had time to cut releases for OTP-19 to 24 (two releases) and nightly builds are up to date

  • Older versions than 3.14 on OTP prior to 19 have no clear update path without someone having time to backport the patch further in the past.

  • it does not affect mix users

Sorry about that

Most Liked

voltone

voltone

Yes: when the top-level project is managed by Mix then all Hex packages are fetched by Mix/Hex, even (transitive) dependencies that use Rebar3 as the build tool.

Mix has never verified the server’s certificate, since it does not have a CA trust store (unlike e.g. Hex and Rebar3). Instead of relying on a secure channel, it verifies the artifacts it downloads against a registry of checksums. This registry has a signature that can be verified using the public key(s) that are built into the tool, and that can be managed using mix local.public_keys.

josevalim

josevalim

Creator of Elixir

We have updated the rebar versions for those on Elixir v1.11.4+. As we said, Elixir is safe regardless as we don’t use rebar to download packages, but providing the latest rebar is a good call anyway. :slight_smile:

ferd

ferd

Author of Property-Based Testing with PropEr, LYSE, & Erlang in Anger

Yep. 3.7 had specific substitution attacks in limited scenarios, but those could have worked regardless iirc. API credential leakage is the trickiest and most likely issue to encounter here for sure. Generally those are at least not very frequent, on a narrow user base, and require per-device asymmetric keys with local passwords to use and aren’t very obvious to break from just the network, although user auth session (once per device) would be a likely best candidate there to then register other keys.

All of these are pretty narrow and require convoluted approaches by someone very dedicated. By comparison, what I consider to be more realistic threats of build tools are all made easier by having people just write a dependency that runs arbitrary code (as macros or configuration scripts) to exfiltrate or modify local data, and convincing people to install it.

Local passwords on publication helps protect against this becoming a worm (you require user input to do it), but there are interesting high-yield approaches then, such as lifting SSH keys (which give you potential access to git repositories and may not be password-protected) or just scanning project-parent directories that contain source code and having the ability to make changes there.

For a comparison, I’m handling all of these TLS issues very seriously, but as far as threat modelling goes, this is closing the 2nd floor window when the front door is off its hinges already, on purpose.

Where Next?

Popular in Erlang News Top

Devtalk
A new Erlang news item has been posted! Link: Release OTP 24.1.1 · erlang/otp · GitHub
New
Devtalk
A new Erlang news item has been posted! Link: Release OTP 23.2.5 · erlang/otp · GitHub Posted via Devtalk.
New
erlangforums
A new Erlang announcement has been posted: Original announcement:
New
erlangforums
A new Erlang announcement has been posted: Original announcement:
New
erlangforums
This thread will be used to cross-post official EEF News via erlangforums.com. If you’d rather not see these alerts, you can mute the th...
New
New
kennethL
Read the new Blog post by John Högberg at the OTP team. It is a brief primer on BEAM, the virtual machine that executes user code in th...
New
erlangforums
Please provide feedback: Erlang/OTP 26.0-rc1 is the first release candidate of three before the OTP 26.0 release. The intention with ...
New
OvermindDL1
A few good fixes and enhancements, SSL added more methods and is faster, socket polling is faster, however 2 big things that I like! Ne...
New
bjorng
The third release candidate for Erlang/OTP 22.0 has been released. Erlang/OTP 22 is a new major release with new features and improveme...
New

Other popular topics Top

malloryerik
Hi, this is for people who, like me, have had some friction using .html.heex templates in VSCode. The solution seems to be, in a hyphena...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

We're in Beta

About us Mission Statement