Gentoo: GLSA-202405-30: Rebar3: Command InjectionSecurity Advisory Updates
Summary
Rebar3 is vulnerable to OS command injection via the URL parameter of a
dependency specification.
Resolution
Gentoo has discontinued support for Rebar3 binary package. We recommend
that users unmerge it:
# emerge --ask --depclean "dev-util/rebar-bin"
References
[ 1 ] CVE-2020-13802
https://nvd.nist.gov/vuln/detail/CVE-2020-13802
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202405-30
Concerns
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
![Dist Gentoo](/images/distros/dist-gentoo.png)
Synopsis
A vulnerability has been discovered in Rebar3, which can lead to command
injection.
Background
A sophisticated build-tool for Erlang projects that follows OTP
principles.
Affected Packages
Package Vulnerable Unaffected
------------------ ------------ ------------
dev-util/rebar-bin < 3.14.4 >= 3.14.4
Impact
A vulnerability has been discovered in Rebar3. Please review the CVE
identifier referenced below for details.
Workaround
There is no known workaround at this time.