HEADS-UP: security fix, please upgrade clientsession to >= 0.7.3.1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

HEADS-UP: security fix, please upgrade clientsession to >= 0.7.3.1

Felipe Lessa
Hello!

Please be advised that clientsession < 0.7.3.1 is vulnerable to timing
attacks [1].  We have just released a fix and it's already on Hackage
[2].  We advise all users of clientsession (and, consequently, Yesod)
to upgrade as soon as possible to a version >= 0.7.3.1.

With a timing attack a malicious user may be able to construct a valid
MAC for his message.  However, the attacker is not able to recover the
MAC key or the encryption key.  So you don't need to change your keys,
just upgrade ASAP.

Cheers, =)

[1] https://github.com/snoyberg/clientsession/pull/4
[2] http://hackage.haskell.org/package/clientsession-0.7.3.1

--
Felipe.

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe
Reply | Threaded
Open this post in threaded view
|

Re: HEADS-UP: security fix, please upgrade clientsession to >= 0.7.3.1

Felipe Lessa
On Mon, Oct 3, 2011 at 10:01 AM, Felipe Almeida Lessa
<[hidden email]> wrote:
> With a timing attack a malicious user may be able to construct a valid
> MAC for his message.  However, the attacker is not able to recover the
> MAC key or the encryption key.  So you don't need to change your keys,
> just upgrade ASAP.

If you are really paranoid, you may worry about a malicious user that
created a valid cookie for an administrator expiring on 2030 while you
still haven't upgraded.  If have this level of security
paranoia/consciousness, you may want to generate new keys.  Just
delete client_session_key.aes before restarting your application with
the fixed clientsession >= 0.7.3.1 and new, random keys will be
generated for you.

Cheers, =)

--
Felipe.

_______________________________________________
Haskell-Cafe mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/haskell-cafe