Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Rebar3: Command Injection — GLSA 202405-30

A vulnerability has been discovered in Rebar3, which can lead to command injection.

Affected packages

Package dev-util/rebar-bin on all architectures
Affected versions < 3.14.4
Unaffected versions >= 3.14.4

Background

A sophisticated build-tool for Erlang projects that follows OTP principles.

Description

Rebar3 is vulnerable to OS command injection via the URL parameter of a dependency specification.

Impact

A vulnerability has been discovered in Rebar3. Please review the CVE identifier referenced below for details.

Workaround

There is no known workaround at this time.

Resolution

Gentoo has discontinued support for Rebar3 binary package. We recommend that users unmerge it:

 # emerge --ask --depclean "dev-util/rebar-bin"

References

Release date
May 12, 2024

Latest revision
May 12, 2024: 1

Severity
normal

Exploitable
local

Bugzilla entries