Fred Hebert
2021-05-24 13:43:53 UTC
Bad news. You *have* to upgrade Rebar3. We just noticed that SSL validation
had been partially disabled for *years*.
I've written up all the details at
https://ferd.ca/you-ve-got-to-upgrade-rebar3.html
but the TL:DR; is:
- Rebar3 didn't properly check TLS certs for hex packages since version
3.7.0
- Non-hex dependencies are fine
- We don't think there's anybody exploiting it in the wild and it should be
rather difficult
- I've had time to cut releases for OTP-19 to 24 (two releases) and nightly
builds are up to date
- Older versions than 3.14 on OTP prior to 19 have no clear update path
without someone having time to backport the patch further in the past.
Sorry about that.
- Fred.
had been partially disabled for *years*.
I've written up all the details at
https://ferd.ca/you-ve-got-to-upgrade-rebar3.html
but the TL:DR; is:
- Rebar3 didn't properly check TLS certs for hex packages since version
3.7.0
- Non-hex dependencies are fine
- We don't think there's anybody exploiting it in the wild and it should be
rather difficult
- I've had time to cut releases for OTP-19 to 24 (two releases) and nightly
builds are up to date
- Older versions than 3.14 on OTP prior to 19 have no clear update path
without someone having time to backport the patch further in the past.
Sorry about that.
- Fred.