HEADS-UP: security fix, please upgrade clientsession to >= 0.7.3.1
Hello! Please be advised that clientsession < 0.7.3.1 is vulnerable to timing attacks [1]. We have just released a fix and it's already on Hackage [2]. We advise all users of clientsession (and, consequently, Yesod) to upgrade as soon as possible to a version >= 0.7.3.1. With a timing attack a malicious user may be able to construct a valid MAC for his message. However, the attacker is not able to recover the MAC key or the encryption key. So you don't need to change your keys, just upgrade ASAP. Cheers, =) [1] https://github.com/snoyberg/clientsession/pull/4 [2] http://hackage.haskell.org/package/clientsession-0.7.3.1 -- Felipe.
On Mon, Oct 3, 2011 at 10:01 AM, Felipe Almeida Lessa
With a timing attack a malicious user may be able to construct a valid MAC for his message. However, the attacker is not able to recover the MAC key or the encryption key. So you don't need to change your keys, just upgrade ASAP.
If you are really paranoid, you may worry about a malicious user that created a valid cookie for an administrator expiring on 2030 while you still haven't upgraded. If have this level of security paranoia/consciousness, you may want to generate new keys. Just delete client_session_key.aes before restarting your application with the fixed clientsession >= 0.7.3.1 and new, random keys will be generated for you. Cheers, =) -- Felipe.
participants (1)
-
Felipe Almeida Lessa