Source: racket X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for racket. CVE-2021-32773[0]: | Racket is a general-purpose programming language and an ecosystem for | language-oriented programming. In versions prior to 8.2, code | evaluated using the Racket sandbox could cause system modules to | incorrectly use attacker-created modules instead of their intended | dependencies. This could allow system functions to be controlled by | the attacker, giving access to facilities intended to be restricted. | This problem is fixed in Racket version 8.2. A workaround is | available, depending on system settings. For systems that provide | arbitrary Racket evaluation, external sandboxing such as containers | limit the impact of the problem. For multi-user evaluation systems, | such as the `handin-server` system, it is not possible to work around | this problem and upgrading is required. https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32773 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32773 Please adjust the affected versions in the BTS as needed.

