unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Guile 2.0.13
@ 2016-10-12 12:38 Ludovic Courtès
  2016-10-12 16:20 ` Christopher Allan Webber
  2016-10-12 16:35 ` Leo Famulari
  0 siblings, 2 replies; 10+ messages in thread
From: Ludovic Courtès @ 2016-10-12 12:38 UTC (permalink / raw)
  To: guix-devel

Hello!

Guile 2.0.13 fixes a couple of security issues:

  https://lists.gnu.org/archive/html/guile-user/2016-10/msg00010.html

CVE-2016-8606 can be serious (remote code execution), but developers
using Guile can readily work around it; see the description at:

  https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html

In particular, Geiser already uses Unix-domain sockets to talk to Guile,
which means we’re safe here.

CVE-2016-8605 is about the possibility of creating files with insecure
permissions in multithreaded programs.  Apart from our own grafting code
(the infamous <http://bugs.gnu.org/22954>), this is probably a rare
situation.

So, what do we do?

Given that core-updates with Guile 2.0.12 is on its way and that master
is still at 2.0.11, I’d suggest to leave master as-is and focus on
core-updates.

There we have 2 options:

  1. Changing ‘guile-2.0/fixed’ to 2.0.13, but 1,310 packages depend on it.

  2. Grafting 2.0.13, which is doable since 2.0.12 and .13 have the same ABI.

I have a preference for #2.

Thoughts?

Ludo’.

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2016-10-18 14:26 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-12 12:38 Guile 2.0.13 Ludovic Courtès
2016-10-12 16:20 ` Christopher Allan Webber
2016-10-12 16:35 ` Leo Famulari
2016-10-12 18:26   ` Christopher Allan Webber
2016-10-12 20:13   ` Ludovic Courtès
2016-10-12 20:30     ` Leo Famulari
2016-10-13 21:11       ` Ludovic Courtès
2016-10-15 17:13         ` Efraim Flashner
2016-10-15 19:46           ` Leo Famulari
2016-10-18 14:26           ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).