[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Guile-commits] 03/04: Update 'NEWS'.
From: |
Ludovic Courtès |
Subject: |
[Guile-commits] 03/04: Update 'NEWS'. |
Date: |
Wed, 12 Oct 2016 08:39:57 +0000 (UTC) |
civodul pushed a commit to branch stable-2.0
in repository guile.
commit 606cf7f7f42c072b96b941e5074338c01811b5ea
Author: Ludovic Courtès <address@hidden>
Date: Wed Oct 12 10:12:26 2016 +0200
Update 'NEWS'.
---
NEWS | 48 +++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 41 insertions(+), 7 deletions(-)
diff --git a/NEWS b/NEWS
index 96c5c2a..22dda2e 100644
--- a/NEWS
+++ b/NEWS
@@ -7,17 +7,38 @@ Please send Guile bug reports to address@hidden
Changes in 2.0.13 (since 2.0.12):
-* Notable changes
-* New interfaces
-** mkstemp! takes optional "mode" argument
+* Security fixes
-See "File System" in the manual, for more.
+** CVE-2016-8606: REPL server now protects against HTTP inter-protocol
+ attacks
-** New 'scm_to_uintptr_t' and 'scm_from_uintptr_t' C functions
+Guile 2.x provides a "REPL server" started by the '--listen'
+command-line option or equivalent API (see "REPL Servers" in the
+manual).
-* Bug fixes
+The REPL server is vulnerable to the HTTP inter-protocol attack as
+described at
+<https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the
+HTML form protocol attack described at
+<https://www.jochentopf.com/hfpa/hfpa.pdf>. A "DNS rebinding attack"
+can be combined with this attack and allow an attacker to send arbitrary
+Guile code to the REPL server through web pages accessed by the
+developer, even though the REPL server is listening to a loopback device
+("localhost"). This was demonstrated in an article entitled "How to
+steal any developer's local database" available at
+<http://bouk.co/blog/hacking-developers/>.
+
+The REPL server in Guile 2.0.13 now detects attempts to exploit this
+vulnerability. It immediately closes the connection when it receives a
+line that looks like an HTTP request.
+
+Nevertheless, we recommend binding the REPL server to a Unix-domain
+socket, for instance by running:
-** 'mkdir' procedure no longer calls umask(2) (<http://bugs.gnu.org/24659>)
+ guile --listen=/tmp/guile-socket
+
+** CVE-2016-8605: 'mkdir' procedure no longer calls umask(2)
+ (<http://bugs.gnu.org/24659>)
When the second argument to the 'mkdir' procedure was omitted, it would
call umask(0) followed by umask(previous_umask) and apply the umask to
@@ -28,9 +49,22 @@ applications: during a small window the process' umask was
set to zero,
so other threads calling mkdir(2) or open(2) could end up creating
world-readable/writable/executable directories or files.
+* New interfaces
+
+** mkstemp! takes optional "mode" argument
+
+See "File System" in the manual, for more.
+
+** New 'scm_to_uintptr_t' and 'scm_from_uintptr_t' C functions
+
+* Bug fixes
+
** Fix optimizer bug when compiling fixpoint operator
** Fix build error on MinGW
** Update 'uname' implementation on MinGW
+** 'port-encoding' and 'set-port-encoding!' ensure they are passed an
+ open port
+** (system base target) now recognizes Alpha as a cross-compilation target
Changes in 2.0.12 (since 2.0.11):