Aug 11, 2014
Plack::Middleware::Session::Cookie 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server, when the middleware is enabled without a secret.
If you use Plack::Middleware::Session::Cookie, you're required to pass a
secret option to the middleware. The value of the secret key must obviously be kept private.
- Version 0.22 is released today, which gives you a big WARNING when it is enabled without a secret set.
- Version 0.23 TRIAL is released, which refuses to run without a secret set, giving an error message on the startup. This will become a non-trial release in a few days.