3 Oct
2011
3 Oct
'11
1:01 p.m.
Hello! Please be advised that clientsession < 0.7.3.1 is vulnerable to timing attacks [1]. We have just released a fix and it's already on Hackage [2]. We advise all users of clientsession (and, consequently, Yesod) to upgrade as soon as possible to a version >= 0.7.3.1. With a timing attack a malicious user may be able to construct a valid MAC for his message. However, the attacker is not able to recover the MAC key or the encryption key. So you don't need to change your keys, just upgrade ASAP. Cheers, =) [1] https://github.com/snoyberg/clientsession/pull/4 [2] http://hackage.haskell.org/package/clientsession-0.7.3.1 -- Felipe.