[web-devel] HEADS-UP: security fix, please upgrade clientsession to >= 0.7.3.1
Felipe Almeida Lessa
felipe.lessa at gmail.com
Mon Oct 3 15:10:44 CEST 2011
On Mon, Oct 3, 2011 at 10:01 AM, Felipe Almeida Lessa
<felipe.lessa at gmail.com> wrote:
> With a timing attack a malicious user may be able to construct a valid
> MAC for his message. However, the attacker is not able to recover the
> MAC key or the encryption key. So you don't need to change your keys,
> just upgrade ASAP.
If you are really paranoid, you may worry about a malicious user that
created a valid cookie for an administrator expiring on 2030 while you
still haven't upgraded. If have this level of security
paranoia/consciousness, you may want to generate new keys. Just
delete client_session_key.aes before restarting your application with
the fixed clientsession >= 0.7.3.1 and new, random keys will be
generated for you.
Cheers, =)
--
Felipe.
More information about the web-devel
mailing list