“ My bad opinions”

submited by
Style Pass
2021-05-24 14:00:05

Bad news. You have to upgrade Rebar3. Like right now. We just noticed that SSL validation had been partially disabled for years.

We accidentally disabled all TLS validation when communicating with https://hex.pm in Rebar3 itself, meaning Hex packages you download may have seen only partial validation and could have been subjected to attack. While we do not thing any such exploit has happened in the wild, we still treat this as urgent. Git or mercurial dependencies, and any other communications (such as rebar3 local upgrade commands) are unaffected.

All versions starting with Rebar3 3.7.0 released in November 2018 are affected. The specific versions, given OTP compatibility schedules, are:

You can call rebar3 version if you want to know which one you're running for sure. If you are a mix user (with Elixir), you are not at risk: Rebar3 is used by mix only to build code, not to fetch dependencies.

The following versions have been tagged, to provide the quickest path to safety for any project on any supported versions in that time period:

Leave a Comment