On Mon, Oct 3, 2011 at 10:01 AM, Felipe Almeida Lessa
wrote:
> With a timing attack a malicious user may be able to construct a valid
> MAC for his message. However, the attacker is not able to recover the
> MAC key or the encryption key. So you don't need to change your keys,
> just upgrade ASA
Hello!
Please be advised that clientsession < 0.7.3.1 is vulnerable to timing
attacks [1]. We have just released a fix and it's already on Hackage
[2]. We advise all users of clientsession (and, consequently, Yesod)
to upgrade as soon as possible to a version >= 0.7.3.1.
With a timing attack a
