From: Nico K. <lis...@go...> - 2012-06-25 09:04:20
|
while you're at it (yaws 1.94)... the current version does not compile on Erlang R13 - the patch is quite simple and attached to this mail. Could you add this as well? Regards Nico On Sunday 24 Jun 2012 23:53:48 Claes Wikstrom wrote: > On 6/24/12 11:38 PM, Claes Wikstrom wrote: > > On 6/24/12 1:22 PM, Sergei Golovan wrote: > >> Hi! > >> > >> On Thu, Jun 21, 2012 at 12:54 AM, Claes Wikstrom<kl...@ta...> wrote: > >>> New yaws release which contains a fix to pretty serious security hole. > >>> The relevant relnote entry is: > >>> > >>> Use crypto:rand_bytes() instead of the cryptographically weak random > >>> module.>> > >> There's one issue remaining with this change: the new cookie consists > >> of random characters in 0-FF range which means that occasionally some > >> control characters will appear in it. > > > > So, I actually though of this when I decided on the crypto:rand_bytes() > > fix, but thought that since the previous random produced an integer > > it's ok. However looking at the code, I see now that integer_to_list > > is called, so indeed, we need this fixed > > Thought more on this, this bug, makes the session server secure but > unusable, so we'll have to do a followup release. I pushed the fix, but > I'll wait a day or two to make 1.94 available in case more problems pop up. > > Thanks Sergei, > > > /klacke |