[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Guile 2.0.13
|
From: |
Ludovic Courtès |
|
Subject: |
Guile 2.0.13 |
|
Date: |
Wed, 12 Oct 2016 14:38:26 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Hello!
Guile 2.0.13 fixes a couple of security issues:
https://lists.gnu.org/archive/html/guile-user/2016-10/msg00010.html
CVE-2016-8606 can be serious (remote code execution), but developers
using Guile can readily work around it; see the description at:
https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html
In particular, Geiser already uses Unix-domain sockets to talk to Guile,
which means we’re safe here.
CVE-2016-8605 is about the possibility of creating files with insecure
permissions in multithreaded programs. Apart from our own grafting code
(the infamous <http://bugs.gnu.org/22954>), this is probably a rare
situation.
So, what do we do?
Given that core-updates with Guile 2.0.12 is on its way and that master
is still at 2.0.11, I’d suggest to leave master as-is and focus on
core-updates.
There we have 2 options:
1. Changing ‘guile-2.0/fixed’ to 2.0.13, but 1,310 packages depend on it.
2. Grafting 2.0.13, which is doable since 2.0.12 and .13 have the same ABI.
I have a preference for #2.
Thoughts?
Ludo’.
- Guile 2.0.13,
Ludovic Courtès <=
- Re: Guile 2.0.13, Christopher Allan Webber, 2016/10/12
- Re: Guile 2.0.13, Leo Famulari, 2016/10/12
- Re: Guile 2.0.13, Christopher Allan Webber, 2016/10/12
- Re: Guile 2.0.13, Ludovic Courtès, 2016/10/12
- Re: Guile 2.0.13, Leo Famulari, 2016/10/12
- Re: Guile 2.0.13, Ludovic Courtès, 2016/10/13
- Re: Guile 2.0.13, Efraim Flashner, 2016/10/15
- Re: Guile 2.0.13, Leo Famulari, 2016/10/15
- Re: Guile 2.0.13, Ludovic Courtès, 2016/10/18