[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-users] [ANN] Official CHICKEN security policy
From: |
Peter Bex |
Subject: |
[Chicken-users] [ANN] Official CHICKEN security policy |
Date: |
Fri, 8 Feb 2013 14:25:25 +0100 |
User-agent: |
Mutt/1.4.2.3i |
Hello Schemers!
Recently a few security vulnerabilities have been found and fixed in
CHICKEN. In order to more effectively keep track of the state of our
security, the CHICKEN Team has decided to adopt an official policy.
As always, we've tried to keep things as simple and as informal as
possible, to ensure our small core team can cope with this.
The most immediately useful part of this policy for users is that
we will request CVE (Common Vulnerabilities and Exposures) identifiers
in order to better track vulnerabilities across time. This will make
it easier for OS packagers and users to know when it's time to upgrade
to newer versions and what the consequences are of not doing so.
Especially for business-critical uses of CHICKEN this is essential.
There are also plenty of security tools which use the CVE database as
a common ground for detecting issues. For more info see
https://cve.mitre.org/about/index.html
For security researchers, we've created a wiki page describing how
to report vulnerabilities and how we will respond:
http://wiki.call-cc.org/security
There's also a new e-mail address for reporting vulnerabilities:
address@hidden
To stay informed about security issues, you can also subscribe to the
recently created low-volume chicken-announce mailinglist.
Below you'll find a list of the CVE identifiers we've requested for
the vulnerabilities that have been fixed:
CVE-2012-6122: select() buffer overrun (fixed in 4.8.0.1 and 4.8.2), see
http://lists.nongnu.org/archive/html/chicken-users/2012-06/msg00031.html
CVE-2012-6123: Poisoned NUL byte injection (fixed in 4.8.0), see
http://lists.nongnu.org/archive/html/chicken-users/2012-09/msg00004.html
CVE-2012-6124: Broken randomization procedure on 64-bit platforms
(fixed in 4.8.0), see
http://lists.nongnu.org/archive/html/chicken-hackers/2012-02/msg00084.html
CVE-2012-6125: Vulnerability to algorithmic complexity attacks due to
hash table collisions (fixed in 4.8.0), see
http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00020.html
These have been added to the NEWS file in both the master and stability/4.8.0
branches.
Kind regards,
The CHICKEN Team
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Chicken-users] [ANN] Official CHICKEN security policy,
Peter Bex <=