[web-devel] HEADS-UP: security fix, please upgrade clientsession to >= 0.7.3.1

Felipe Almeida Lessa felipe.lessa at gmail.com
Mon Oct 3 15:01:43 CEST 2011


Hello!

Please be advised that clientsession < 0.7.3.1 is vulnerable to timing
attacks [1].  We have just released a fix and it's already on Hackage
[2].  We advise all users of clientsession (and, consequently, Yesod)
to upgrade as soon as possible to a version >= 0.7.3.1.

With a timing attack a malicious user may be able to construct a valid
MAC for his message.  However, the attacker is not able to recover the
MAC key or the encryption key.  So you don't need to change your keys,
just upgrade ASAP.

Cheers, =)

[1] https://github.com/snoyberg/clientsession/pull/4
[2] http://hackage.haskell.org/package/clientsession-0.7.3.1

-- 
Felipe.



More information about the web-devel mailing list