251: SSH Vulnerability and Cookies are Changing

News includes a critical Unauthenticated Remote Code Execution vulnerability in Erlang/OTP SSH, José Valim teasing a new project, Oban Pro v1.6's impressive new "Cascade Mode" feature, Semaphore CI/CD platform being open-sourced as a primarily Elixir application, new sandboxing options for Elixir code with Dune and Mini Elixir, BeaconCMS development slowing due to DockYard cuts, and a look at the upcoming W3C Device Bound Session Credentials standard that will impact all web applications, and more!

Show Notes online - http://podcast.thinkingelixir.com/251

Elixir Community News

• https://paraxial.io/ – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a limited time offer.


• https://x.com/ErlangDiscu/status/1914259474937753747 – Unauthenticated Remote Code Execution vulnerability discovered in Erlang/OTP SSH.


• https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2 – Official security advisory for the Erlang/OTP SSH vulnerability.


• https://paraxial.io/blog/erlang-ssh – Paraxial.io's detailed blog post addressing how the SSH vulnerability impacts typical Elixir systems.


• https://elixirforum.com/t/updated-nerves-systems-available-with-cve-2025-32433-ssh-fix/70539 – Updated Nerves systems available with SSH vulnerability fix.


• https://bsky.app/profile/oban.pro/post/3lndzg72r2k2g – Announcement of Oban Pro v1.6's new "Cascade Mode" feature.


• https://oban.pro/articles/weaving-stories-with-cascading-workflows – Blog post demonstrating Oban Pro's new Cascading Workflows feature used to create children's stories with AI.


• https://bsky.app/profile/josevalim.bsky.social/post/3lmw5fvnyvc2k – José Valim teasing a new logo with "Soon" message.


• https://tidewave.ai/ – New site mentioned in José Valim's teasers, not loading to anything yet.


• https://github.com/tidewave-ai – New GitHub organization related to José Valim's upcoming announcement.


• https://github.com/tidewave-ai/mcp_proxy_elixir – The only public project in the tidewave-ai organization - an Elixir MCP server for STDIO.


• https://x.com/chris_mccord/status/1913073561561858229 – Chris McCord teasing AI development with Phoenix applications.


• https://ashweekly.substack.com/p/ash-weekly-issue-13 – Zach Daniel teasing upcoming Ash news to be announced at ElixirConf EU.


• https://elixirforum.com/t/dune-sandbox-for-elixir/42480 – Dune - a sandbox for Elixir created by a Phoenix maintainer.


• https://github.com/functional-rewire/dune – GitHub repository for Dune, an Elixir code sandbox.


• https://blog.sequinstream.com/why-we-built-mini-elixir/ – Blog post explaining Mini Elixir, another Elixir code sandbox solution.


• https://github.com/sequinstream/sequin/tree/main/lib/sequin/transforms/minielixir – GitHub repository that contains Mini Elixir, an Elixir AST interpreter.


• https://www.reddit.com/r/elixir/comments/1k27ekg/we_built_a_custom_elixir_ast_interpreter_for/ – Reddit discussion about Mini Elixir AST interpreter.


• https://github.com/semaphoreio/semaphore – Semaphore CI/CD platform open-sourced under Apache 2.0 license - primarily an Elixir application.


• https://semaphore.io/ – Official website for Semaphore CI/CD platform.


• https://docs.semaphoreci.com/CE/getting-started/install – Installation guide for Semaphore Community Edition.


• https://bsky.app/profile/markoanastasov.bsky.social/post/3lj5o5h5z7k2t – Announcement from Marko Anastasov, co-founder of Semaphore CI, about open-sourcing their platform.


• https://github.com/elixir-dbvisor/sql – GitHub repository for SQL parser and sigil with impressive benchmarks.


• https://groups.google.com/g/elixir-ecto/c/8MOkRFAdLZc?pli=1 – Discussion about SQL parser being 400-650x faster than Ecto for generating SQL.


• https://bsky.app/profile/bcardarella.bsky.social/post/3lndymobsak2p – Announcement about BeaconCMS reducing development due to Dockyard cuts.


• https://bsky.app/profile/did:plc:vnywtpvzgdgetnwea3fs3y6w – Related profile for BeaconCMS announcement.


• https://beaconcms.org/ – BeaconCMS official website.


• https://github.com/BeaconCMS/beacon – GitHub repository for BeaconCMS.

Do you have some Elixir news to share? Tell us at @ThinkingElixir or email at [email protected]

Discussion Resources

• Discussion about Device Bound Session Credentials, a W3C initiative being built into major browsers that will require minor changes to Phoenix for implementation.


• https://w3c.github.io/webappsec-dbsc/ – W3C - Device Bound Session Credentials proposal


• https://github.com/w3c/webappsec-dbsc/ – Device Bound Session Credentials explainer


• https://developer.chrome.com/docs/web-platform/device-bound-session-credentials – Device Bound Session Credentials (DBSC) on the Google Chrome developer blog


• https://en.wikipedia.org/wiki/Trusted_Platform_Module – Wikipedia article on Trusted Platform Module, relevant to Device Bound Session Credentials discussion.


• https://www.grc.com/sn/sn-1021-notes.pdf – Other podcast show notes discussing Device Bound Session Credentials (DBSC).


• https://twit.tv/shows/security-now/episodes/1021?autostart=false – Security Now podcast episode covering Device Bound Session Credentials (time coded link to discussion).

Find us online

• Message the show - Bluesky


• Message the show - X


• Message the show on Fediverse - @[email protected]


• Email the show - [email protected]


• Mark Ericksen on X - @brainlid


• Mark Ericksen on Bluesky - @brainlid.bsky.social


• Mark Ericksen on Fediverse - @[email protected]


• David Bernheisel on Bluesky - @david.bernheisel.com


• David Bernheisel on Fediverse - @[email protected]

Sponsored By:

• Paraxial.io: Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a limited time offer.