On 6/24/12 11:38 PM, Claes Wikstrom wrote:
> On 6/24/12 1:22 PM, Sergei Golovan wrote:
>> On Thu, Jun 21, 2012 at 12:54 AM, Claes Wikstrom<klacke@...> wrote:
>>> New yaws release which contains a fix to pretty serious security hole.
>>> The relevant relnote entry is:
>>> Use crypto:rand_bytes() instead of the cryptographically weak random module.
>> There's one issue remaining with this change: the new cookie consists
>> of random characters in 0-FF range which means that occasionally some
>> control characters will appear in it.
> So, I actually though of this when I decided on the crypto:rand_bytes()
> fix, but thought that since the previous random produced an integer
> it's ok. However looking at the code, I see now that integer_to_list
> is called, so indeed, we need this fixed
Thought more on this, this bug, makes the session server secure but
unusable, so we'll have to do a followup release. I pushed the fix, but
I'll wait a day or two to make 1.94 available in case more problems pop up.