Thank you for letting us know. ~slg
-------- Original Message -------- On Jul 19, 2021, 2:35 PM, Sam Tobin-Hochstadt wrote: > The Racket team recently became aware of a security vulnerability in > the `racket/sandbox` library. Code evaluated using a sandbox could > cause system modules to incorrectly use attacker-created modules > instead of their intended dependencies. This could allow system > functions to be controlled by the attacker, giving access to > facilities intended to be restricted. > > The official advisory is at > https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c > > To address this vulnerability, anyone who uses a sandbox to evaluate > untrusted code should upgrade to version 8.2. This includes all uses > of the Handin server. > > For users of the Handin server, it now provides an API to restrict > `require`s for uses of teaching languages. We strongly encourage using > this API [1], which can prevent exploiting this bug as well as other > problems that access to full Racket or other installed modules might > expose. > > Feedback on this advisory, and any security issues discovered in > Racket, is welcome at secur...@racket-lang.org > > [1] the `#:requires` argument to `make-evaluator`, or the `requires` > arguments to `make-evaluator/submission` and similar. > > Sam, for the Racket team > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/CAK%3DHD%2BZ5rnpqW1g27AzSEOSfmLLGqr86GQzkmjaw4cc7xtD4QQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/d2foR8gQSc68pALp0iYCn13f6Uq5iEXHu4h9sT8hseKEhnoYGgpYi1sd2Lbmj0CiM4CT-HckGaMt5TdW7hw1wgy9E8Rm1iiuOunKlEvETqU%3D%40sagegerard.com.
