From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Andy Wingo Newsgroups: gmane.lisp.guile.devel,gmane.lisp.guile.user Subject: Re: Guile security vulnerability w/ listening on localhost + port (with fix) Date: Sun, 26 Feb 2017 19:22:31 +0100 Message-ID: <87k28cu80o.fsf@pobox.com> References: <87k2dfc7dd.fsf@dustycloud.org> <20161014215551.GA31883@lizzie.io> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1488133371 32662 195.159.176.226 (26 Feb 2017 18:22:51 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 26 Feb 2017 18:22:51 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) Cc: guile-user@gnu.org, guile-devel@gnu.org To: Lizzie Dixon <_@lizzie.io> Original-X-From: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Sun Feb 26 19:22:47 2017 Return-path: Envelope-to: guile-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ci3T1-0007ku-QA for guile-devel@m.gmane.org; Sun, 26 Feb 2017 19:22:44 +0100 Original-Received: from localhost ([::1]:47820 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci3T7-0007WR-N3 for guile-devel@m.gmane.org; Sun, 26 Feb 2017 13:22:49 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:60909) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ci3T1-0007VJ-F0 for guile-devel@gnu.org; Sun, 26 Feb 2017 13:22:44 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ci3Sy-0003DX-Bv for guile-devel@gnu.org; Sun, 26 Feb 2017 13:22:43 -0500 Original-Received: from pb-sasl2.pobox.com ([64.147.108.67]:51838 helo=sasl.smtp.pobox.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ci3Sy-0003DS-0u; Sun, 26 Feb 2017 13:22:40 -0500 Original-Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-sasl2.pobox.com (Postfix) with ESMTP id 95A0362A41; Sun, 26 Feb 2017 13:22:39 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type; s=sasl; bh=tYiYRllvBN4ITZcEolJbwCLYh7k=; b=BknK84 y2gZMHUT0dZMcaWdVswMk3RfBjPXZKbbU6k9S8uv4zW7eMFrzsT/XEh0fkpnXdlE 7ShySqDCgouBd1CSe0giGyvnyUukroBKVK37HqbTzFApQNtpC9iOxddAJOaDzKDZ mPcyAUP8R6hEmM0nNXFI5+l4pep/9IS0iJHqw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type; q=dns; s=sasl; b=VEXTMl0ewXQhEaj9evbTLyIl/mfXOUls Y9K9xvAY6gbClUJQtBis/pRAgXtaa6y/NY03neccRvdzqrtdz9L2TNwhq9zilZwf WSKB98BV2qhB2cI9n3lGjleHH71gr8bwWPBYkdLyRyoXRvOitUNKJ8y0U+1nv8OA xy407t6kJuA= Original-Received: from pb-sasl2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-sasl2.pobox.com (Postfix) with ESMTP id 8C06B62A3E; Sun, 26 Feb 2017 13:22:39 -0500 (EST) Original-Received: from clucks (unknown [88.160.190.192]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pb-sasl2.pobox.com (Postfix) with ESMTPSA id 90D0662A3D; Sun, 26 Feb 2017 13:22:38 -0500 (EST) In-Reply-To: <20161014215551.GA31883@lizzie.io> (Lizzie Dixon's message of "Fri, 14 Oct 2016 14:55:51 -0700") X-Pobox-Relay-ID: 8DD78026-FC50-11E6-B12B-6141F2301B6D-02397024!pb-sasl2.pobox.com X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 64.147.108.67 X-BeenThere: guile-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Developers list for Guile, the GNU extensibility library" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-devel-bounces+guile-devel=m.gmane.org@gnu.org Original-Sender: "guile-devel" Xref: news.gmane.org gmane.lisp.guile.devel:18951 gmane.lisp.guile.user:13322 Archived-At: Hi! On Fri 14 Oct 2016 23:55, Lizzie Dixon <_@lizzie.io> writes: > I know it's a late kudo but still -- great investigation and writeup, thank you for digging in to this one :) Andy