[dancer-users] Dancer 1.3400 released to CPAN - security fix, bugfixes and minor improvements

Warren Young warren at etr-usa.com
Sat Jun 16 02:15:39 BST 2018


On Jun 15, 2018, at 4:30 PM, David Precious <davidp at preshweb.co.uk> wrote:
> 
> - Validate session IDs read from client - GH #1172 - potential security
>   risk if the session provider in use passes the session ID in a way
>   where injection is possible.

Is there a list of session providers known to do this?  I don’t expect it to be complete, but I suspect that, like me, most people will have no way to evaluate whether their session providers are vulnerable.

Obviously new systems still based on D1 will go out with this new version.  The question is, do we go back and patch all of those already deployed?  In our world, that’s not especially easy, so we’re not going to do it if we’re not actually vulnerable.


More information about the dancer-users mailing list