[dancer-users] Potential security issues fixed in recent releases
Russell Jenkins
russell.jenkins at strategicdata.com.au
Tue Jun 16 03:16:13 BST 2015
Hello fellow Dancers.
We've been notified about a potential security issue that affects both
Dancer and Dancer2.
For releases up to
* Dancer v1.3136, or
* Dancer2 v0.160001
it was possible to abuse session cookie values so that file-based
session stores
such as Dancer::Session::YAML or Dancer2::Session::YAML would attempt to
read/write from any file on the filesystem with the same extension the
file-based
store uses, such as '*.yml' for the YAML stores.
The issue was reported by Andrew Beverley and fixed in the following
releases
* Dancer v1.3138 (Yanick Champoux)
* Dancer2 v0.160002 (Russell Jenkins)
The updated packages are now available from your favorite CPAN mirror.
The file-based session stores are intended to be used for prototyping
and testing.
While we do not recommend using file-based session stores in production,
there
may be single-machine production environments where they are useful. If
you are
using any of the file-based session stores in production, we strongly
advise you
to upgrade.
Thanks for your trust, and happy dancing!
Sawyer, Yanick & Russell.
More information about the dancer-users
mailing list