ferd

ferd

Author of Property-Based Testing with PropEr, LYSE, & Erlang in Anger

Major vulnerability fix for Rebar3

Bad news. You have to upgrade Rebar3. We just noticed that SSL validation had been partially disabled for years.

I’ve written up all the details at You've got to upgrade Rebar3

but the TL:DR; is:

  • Rebar3 didn’t properly check TLS certs for hex packages since version 3.7.0

  • Non-hex dependencies are fine

  • We don’t think there’s anybody exploiting it in the wild and it should be rather difficult

  • I’ve had time to cut releases for OTP-19 to 24 (two releases) and nightly builds are up to date

  • Older versions than 3.14 on OTP prior to 19 have no clear update path without someone having time to backport the patch further in the past.

  • it does not affect mix users

Sorry about that

Most Liked

voltone

voltone

Yes: when the top-level project is managed by Mix then all Hex packages are fetched by Mix/Hex, even (transitive) dependencies that use Rebar3 as the build tool.

Mix has never verified the server’s certificate, since it does not have a CA trust store (unlike e.g. Hex and Rebar3). Instead of relying on a secure channel, it verifies the artifacts it downloads against a registry of checksums. This registry has a signature that can be verified using the public key(s) that are built into the tool, and that can be managed using mix local.public_keys.

josevalim

josevalim

Creator of Elixir

We have updated the rebar versions for those on Elixir v1.11.4+. As we said, Elixir is safe regardless as we don’t use rebar to download packages, but providing the latest rebar is a good call anyway. :slight_smile:

ferd

ferd

Author of Property-Based Testing with PropEr, LYSE, & Erlang in Anger

Yep. 3.7 had specific substitution attacks in limited scenarios, but those could have worked regardless iirc. API credential leakage is the trickiest and most likely issue to encounter here for sure. Generally those are at least not very frequent, on a narrow user base, and require per-device asymmetric keys with local passwords to use and aren’t very obvious to break from just the network, although user auth session (once per device) would be a likely best candidate there to then register other keys.

All of these are pretty narrow and require convoluted approaches by someone very dedicated. By comparison, what I consider to be more realistic threats of build tools are all made easier by having people just write a dependency that runs arbitrary code (as macros or configuration scripts) to exfiltrate or modify local data, and convincing people to install it.

Local passwords on publication helps protect against this becoming a worm (you require user input to do it), but there are interesting high-yield approaches then, such as lifting SSH keys (which give you potential access to git repositories and may not be password-protected) or just scanning project-parent directories that contain source code and having the ability to make changes there.

For a comparison, I’m handling all of these TLS issues very seriously, but as far as threat modelling goes, this is closing the 2nd floor window when the front door is off its hinges already, on purpose.

Where Next?

Popular in Erlang News Top

Devtalk
A new Erlang news item has been posted! Link: Release OTP 24.0.1 · erlang/otp · GitHub Posted via Devtalk.
New
Devtalk
A new Erlang news item has been posted! Link: Release OTP 23.3.4.2 · erlang/otp · GitHub Posted via Devtalk.
New
Devtalk
A new Erlang news item has been posted! Link: Release OTP 23.2.7.1 · erlang/otp · GitHub Posted via Devtalk.
New
jhogberg
maint was accidentally hard-reset to master about an hour ago and pushed upstream, and a few of our own commits were then based on incorr...
New
michalmuskala
We’re very happy to announce the general availability of erlfmt - an automated code formatter for Erlang. erlfmt is an opinionated Erlan...
New
erlangforums
A new Erlang announcement has been posted: Original announcement:
New
New
Devtalk
A new Erlang news item has been posted! Link: Release OTP 23.3.4.6 · erlang/otp · GitHub Posted via Devtalk.
New
bjorng
The second release candidate of Erlang/OTP 22.0 has been released. This is the second of three planned release candidates before the OT...
New
erlangforums
A new Erlang announcement has been posted: Original announcement:
New

Other popular topics Top

malloryerik
Hi, this is for people who, like me, have had some friction using .html.heex templates in VSCode. The solution seems to be, in a hyphena...
New
New
TunkShif
This post is an instruction guide to help you setup your Neovim for Elixir development from scratch. It includes general information on h...
274 41989 114
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
Lily
In templates/appointment/index.html.eex: <%= for appointment <- @appointments do %> <tr> <td><%= appoi...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39467 209
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
AstonJ
Please see the new poll here: Which code editor or IDE do you use? (Poll) (2022 Edition) It’s been a while since we first asked this, I...
208 31265 143
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52673 488
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement