Name of the Vulnerable Software and Affected Versions cabal-install versions prior to 3.10.2.0

Description A problem was discovered in cabal-install's implementation of the Hackage Security protocol, which could allow an attacker with a revoked private key and the ability to perform a man-in-the-middle attack against Hackage to deliver malicious packages. This issue is related to the verification of the key policy file's expiration timestamp. The Hackage Security protocol guarantees that mirrors of Hackage cannot change the contents of packages and that mirrors cannot omit newer packages for more than a few days without clients noticing.

Recommendations For cabal-install versions prior to 3.10.2.0, update to version 3.10.2.0 or newer to resolve the issue. As a temporary workaround, consider running cabal update regularly to minimize the risk of exploitation. Restrict access to untrusted mirrors and avoid using compromised operational keys.