From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Guile 2.0.13 Date: Wed, 12 Oct 2016 14:38:26 +0200 Message-ID: <8760oxpwsd.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37100) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buIo5-0008Ur-Rh for guix-devel@gnu.org; Wed, 12 Oct 2016 08:38:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1buInz-0005Us-So for guix-devel@gnu.org; Wed, 12 Oct 2016 08:38:48 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Hello! Guile 2.0.13 fixes a couple of security issues: https://lists.gnu.org/archive/html/guile-user/2016-10/msg00010.html CVE-2016-8606 can be serious (remote code execution), but developers using Guile can readily work around it; see the description at: https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html In particular, Geiser already uses Unix-domain sockets to talk to Guile, which means we=E2=80=99re safe here. CVE-2016-8605 is about the possibility of creating files with insecure permissions in multithreaded programs. Apart from our own grafting code (the infamous ), this is probably a rare situation. So, what do we do? Given that core-updates with Guile 2.0.12 is on its way and that master is still at 2.0.11, I=E2=80=99d suggest to leave master as-is and focus on core-updates. There we have 2 options: 1. Changing =E2=80=98guile-2.0/fixed=E2=80=99 to 2.0.13, but 1,310 packag= es depend on it. 2. Grafting 2.0.13, which is doable since 2.0.12 and .13 have the same AB= I. I have a preference for #2. Thoughts? Ludo=E2=80=99.