Source: racket
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerability was published for racket.

CVE-2021-32773[0]:
| Racket is a general-purpose programming language and an ecosystem for
| language-oriented programming. In versions prior to 8.2, code
| evaluated using the Racket sandbox could cause system modules to
| incorrectly use attacker-created modules instead of their intended
| dependencies. This could allow system functions to be controlled by
| the attacker, giving access to facilities intended to be restricted.
| This problem is fixed in Racket version 8.2. A workaround is
| available, depending on system settings. For systems that provide
| arbitrary Racket evaluation, external sandboxing such as containers
| limit the impact of the problem. For multi-user evaluation systems,
| such as the `handin-server` system, it is not possible to work around
| this problem and upgrading is required.

https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32773
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32773

Please adjust the affected versions in the BTS as needed.

Reply via email to