Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Felipe Almeida Lessa <felipe.lessa-Re5JQEeQqe8AvxtiuMwx3w <at> public.gmane.org>
Subject: HEADS-UP: security fix, please upgrade clientsession to >= 0.7.3.1
Newsgroups: gmane.comp.lang.haskell.yesod
Date: Monday 3rd October 2011 13:01:43 UTC (over 5 years ago)
Hello!

Please be advised that clientsession < 0.7.3.1 is vulnerable to timing
attacks [1].  We have just released a fix and it's already on Hackage
[2].  We advise all users of clientsession (and, consequently, Yesod)
to upgrade as soon as possible to a version >= 0.7.3.1.

With a timing attack a malicious user may be able to construct a valid
MAC for his message.  However, the attacker is not able to recover the
MAC key or the encryption key.  So you don't need to change your keys,
just upgrade ASAP.

Cheers, =)

[1] https://github.com/snoyberg/clientsession/pull/4
[2] http://hackage.haskell.org/package/clientsession-0.7.3.1

-- 
Felipe.
 
CD: 3ms