guile-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Guile-commits] 03/04: Update 'NEWS'.

From: Ludovic Courtès
Subject: [Guile-commits] 03/04: Update 'NEWS'.
Date: Wed, 12 Oct 2016 08:39:57 +0000 (UTC) 
civodul pushed a commit to branch stable-2.0
in repository guile.

commit 606cf7f7f42c072b96b941e5074338c01811b5ea
Author: Ludovic Courtès <address@hidden>
Date:   Wed Oct 12 10:12:26 2016 +0200

    Update 'NEWS'.
---
 NEWS |   48 +++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 41 insertions(+), 7 deletions(-)

diff --git a/NEWS b/NEWS
index 96c5c2a..22dda2e 100644
--- a/NEWS
+++ b/NEWS
@@ -7,17 +7,38 @@ Please send Guile bug reports to address@hidden
 
 Changes in 2.0.13 (since 2.0.12):
 
-* Notable changes
-* New interfaces
-** mkstemp! takes optional "mode" argument
+* Security fixes
 
-See "File System" in the manual, for more.
+** CVE-2016-8606: REPL server now protects against HTTP inter-protocol
+   attacks
 
-** New 'scm_to_uintptr_t' and 'scm_from_uintptr_t' C functions
+Guile 2.x provides a "REPL server" started by the '--listen'
+command-line option or equivalent API (see "REPL Servers" in the
+manual).
 
-* Bug fixes
+The REPL server is vulnerable to the HTTP inter-protocol attack as
+described at
+<https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the
+HTML form protocol attack described at
+<https://www.jochentopf.com/hfpa/hfpa.pdf>.  A "DNS rebinding attack"
+can be combined with this attack and allow an attacker to send arbitrary
+Guile code to the REPL server through web pages accessed by the
+developer, even though the REPL server is listening to a loopback device
+("localhost").  This was demonstrated in an article entitled "How to
+steal any developer's local database" available at
+<http://bouk.co/blog/hacking-developers/>.
+
+The REPL server in Guile 2.0.13 now detects attempts to exploit this
+vulnerability.  It immediately closes the connection when it receives a
+line that looks like an HTTP request.
+
+Nevertheless, we recommend binding the REPL server to a Unix-domain
+socket, for instance by running:
 
-** 'mkdir' procedure no longer calls umask(2) (<http://bugs.gnu.org/24659>)
+  guile --listen=/tmp/guile-socket
+
+** CVE-2016-8605: 'mkdir' procedure no longer calls umask(2)
+   (<http://bugs.gnu.org/24659>)
 
 When the second argument to the 'mkdir' procedure was omitted, it would
 call umask(0) followed by umask(previous_umask) and apply the umask to
@@ -28,9 +49,22 @@ applications: during a small window the process' umask was 
set to zero,
 so other threads calling mkdir(2) or open(2) could end up creating
 world-readable/writable/executable directories or files.
 
+* New interfaces
+
+** mkstemp! takes optional "mode" argument
+
+See "File System" in the manual, for more.
+
+** New 'scm_to_uintptr_t' and 'scm_from_uintptr_t' C functions
+
+* Bug fixes
+
 ** Fix optimizer bug when compiling fixpoint operator
 ** Fix build error on MinGW
 ** Update 'uname' implementation on MinGW
+** 'port-encoding' and 'set-port-encoding!' ensure they are passed an
+   open port
+** (system base target) now recognizes Alpha as a cross-compilation target
 
 
 Changes in 2.0.12 (since 2.0.11):
reply via email to
[Prev in Thread] Current Thread [Next in Thread]