Static and session security fixes for Plug

elixir-announcement

#21

Thanks for staying on top of this! It got me thinking…

It’d be nice to build some security vulnerability reporting features into mix & hex.

Perhaps a package author could flag a particular version as containing a vulnerability, and then when running commands like mix deps.get, we’d get a warning about that vulnerability.

I think that could help the ecosystem as a whole stay on top of security issues as Elixir grows.


#22

Hex package versions can be retired, security issues being one of the reasons for retirement. In this instance we did not retire Plug because all versions would need to be retired and the security reason was not severe enough to require a retirement of the released versions.

I think a separate tool or service for reporting any security vulnerabilities would be great, but it should not be part of elixir core or hex.


#23

I think it would be cool if @rrrene’s HexFaktor could be extended to be that tool!


#24

I wrote up a quick blog post on the vulnerabilities, which you can find here. It details the more “practical” method of achieving code execution in serialization functionality, as well as PoCs for anyone who wants to experiment with these locally.


#25

Thank you @griffinbyatt for reporting the vulnerabilities and writing about it!