ferd
Major vulnerability fix for Rebar3
Bad news. You have to upgrade Rebar3. We just noticed that SSL validation had been partially disabled for years.
I’ve written up all the details at You've got to upgrade Rebar3
but the TL:DR; is:
-
Rebar3 didn’t properly check TLS certs for hex packages since version 3.7.0
-
Non-hex dependencies are fine
-
We don’t think there’s anybody exploiting it in the wild and it should be rather difficult
-
I’ve had time to cut releases for OTP-19 to 24 (two releases) and nightly builds are up to date
-
Older versions than 3.14 on OTP prior to 19 have no clear update path without someone having time to backport the patch further in the past.
-
it does not affect mix users
Sorry about that
Most Liked
voltone
Yes: when the top-level project is managed by Mix then all Hex packages are fetched by Mix/Hex, even (transitive) dependencies that use Rebar3 as the build tool.
Mix has never verified the server’s certificate, since it does not have a CA trust store (unlike e.g. Hex and Rebar3). Instead of relying on a secure channel, it verifies the artifacts it downloads against a registry of checksums. This registry has a signature that can be verified using the public key(s) that are built into the tool, and that can be managed using mix local.public_keys.
josevalim
We have updated the rebar versions for those on Elixir v1.11.4+. As we said, Elixir is safe regardless as we don’t use rebar to download packages, but providing the latest rebar is a good call anyway. ![]()
ferd
Yep. 3.7 had specific substitution attacks in limited scenarios, but those could have worked regardless iirc. API credential leakage is the trickiest and most likely issue to encounter here for sure. Generally those are at least not very frequent, on a narrow user base, and require per-device asymmetric keys with local passwords to use and aren’t very obvious to break from just the network, although user auth session (once per device) would be a likely best candidate there to then register other keys.
All of these are pretty narrow and require convoluted approaches by someone very dedicated. By comparison, what I consider to be more realistic threats of build tools are all made easier by having people just write a dependency that runs arbitrary code (as macros or configuration scripts) to exfiltrate or modify local data, and convincing people to install it.
Local passwords on publication helps protect against this becoming a worm (you require user input to do it), but there are interesting high-yield approaches then, such as lifting SSH keys (which give you potential access to git repositories and may not be password-protected) or just scanning project-parent directories that contain source code and having the ability to make changes there.
For a comparison, I’m handling all of these TLS issues very seriously, but as far as threat modelling goes, this is closing the 2nd floor window when the front door is off its hinges already, on purpose.
Popular in Erlang News
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








