Hello Schemers! Recently a few security vulnerabilities have been found and fixed in CHICKEN. In order to more effectively keep track of the state of our security, the CHICKEN Team has decided to adopt an official policy. As always, we've tried to keep things as simple and as informal as possible, to ensure our small core team can cope with this.
The most immediately useful part of this policy for users is that we will request CVE (Common Vulnerabilities and Exposures) identifiers in order to better track vulnerabilities across time. This will make it easier for OS packagers and users to know when it's time to upgrade to newer versions and what the consequences are of not doing so. Especially for business-critical uses of CHICKEN this is essential. There are also plenty of security tools which use the CVE database as a common ground for detecting issues. For more info see https://cve.mitre.org/about/index.html For security researchers, we've created a wiki page describing how to report vulnerabilities and how we will respond: http://wiki.call-cc.org/security There's also a new e-mail address for reporting vulnerabilities: [email protected] To stay informed about security issues, you can also subscribe to the recently created low-volume chicken-announce mailinglist. Below you'll find a list of the CVE identifiers we've requested for the vulnerabilities that have been fixed: CVE-2012-6122: select() buffer overrun (fixed in 4.8.0.1 and 4.8.2), see http://lists.nongnu.org/archive/html/chicken-users/2012-06/msg00031.html CVE-2012-6123: Poisoned NUL byte injection (fixed in 4.8.0), see http://lists.nongnu.org/archive/html/chicken-users/2012-09/msg00004.html CVE-2012-6124: Broken randomization procedure on 64-bit platforms (fixed in 4.8.0), see http://lists.nongnu.org/archive/html/chicken-hackers/2012-02/msg00084.html CVE-2012-6125: Vulnerability to algorithmic complexity attacks due to hash table collisions (fixed in 4.8.0), see http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00020.html These have been added to the NEWS file in both the master and stability/4.8.0 branches. Kind regards, The CHICKEN Team _______________________________________________ Chicken-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/chicken-users
