Ratpack v1.6.1

Version Release Notes from April 24, 2019 (almost 5 years ago)

« Changelog History

Ratpack v1.6.1 Release Notes

Release Date: 2019-04-24 // almost 5 years ago

🚀 This release fixes a security vulnerability around session ID generation and is recommended for all users.

0️⃣ The issue stems from the default session ID generator using a cryptographically weak pseudo random number generator in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs. 1.6.1 uses system entropy when generating values to make the values non determinable.

If you are using client side sessions, your application is not vulnerable as the session ID is not used.

0️⃣ If you are using a version earlier than 1.6, you can fix the the issue by binding a custom SessionIdGenerator implementation based on the new version.

Special thanks to Jonathan Leitschuh for discovering and reporting this vulnerability.

Awesome Java is part of the LibHunt network. Terms. Privacy Policy.