Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Random numbers - security issue #369

Closed
mworrell opened this Issue Jun 21, 2012 · 1 comment

Comments

Projects
None yet
1 participant
Owner

mworrell commented Jun 21, 2012

We need to fix our random number/string generation.
At least where it is used for:

  • session ids (all random cookie values)
  • password salts

See this mail from Claes Wikstrom:

Folks,

New yaws release which contains a fix to pretty serious security hole.
The relevant relnote entry is:

Use crypto:rand_bytes() instead of the cryptographically weak random module. Swedish security consultant and cryptographer Kalle Zetterlund discovered a way to - given a sequence of cookies produced by yaws_session_server - predict the next session id. Thus providing a gaping security hole into yaws servers that use the yaws_session_server to maintain cookie based HTTP sessions (klacke/kallez)

It's been almost 6 months since the last release, so this one also contains
a long series of good fixes and improvements from a lot of good people.

Thanks everyone !!

Code, release, relnotes, docs etc at http://yaws.hyber.org/

Yaws team -

Owner

mworrell commented Sep 19, 2012

We need something similar to this patch:

klacke/yaws@ed75b53#src/yaws_session_server.erl

@mworrell mworrell closed this in 5aa11ca Sep 19, 2012

michielklonhammer added a commit to michielklonhammer/zotonic that referenced this issue Sep 25, 2012

rpip pushed a commit to rpip/zotonic that referenced this issue Aug 12, 2013

ddeboer pushed a commit to ddeboer/zotonic that referenced this issue May 16, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment