Felipe Almeida Lessa | 3 Oct 15:01 2011
Picon

HEADS-UP: security fix, please upgrade clientsession to >= 0.7.3.1

Hello!

Please be advised that clientsession < 0.7.3.1 is vulnerable to timing
attacks [1].  We have just released a fix and it's already on Hackage
[2].  We advise all users of clientsession (and, consequently, Yesod)
to upgrade as soon as possible to a version >= 0.7.3.1.

With a timing attack a malicious user may be able to construct a valid
MAC for his message.  However, the attacker is not able to recover the
MAC key or the encryption key.  So you don't need to change your keys,
just upgrade ASAP.

Cheers, =)

[1] https://github.com/snoyberg/clientsession/pull/4
[2] http://hackage.haskell.org/package/clientsession-0.7.3.1

--

-- 
Felipe.


Gmane