[Chicken-users] New Eggs: SRFI-121, SRFI-127, SRFI-133
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello all, I've taken the opportunity to package SRFI-121 (Generators), SRFI-127 (Lazy Sequences), and SRFI-133 (Vectors [R7RS-compatible]) for CHICKEN. The eggs all pass salmonella and shouldn't contain any errors. The repositories can be found below: https://github.com/scheme-requests-for-implementation/srfi-121 https://github.com/scheme-requests-for-implementation/srfi-127 https://github.com/scheme-requests-for-implementation/srfi-133 Thanks again to John Cowan, Arthur Gleckler, and the SRFI committee for the reference implementations of these libraries. For those who don't know, these three libraries were recently voted in to be included as part of R7RS-large. While I don't think that CHICKEN strives for R7RS-large compatibility, having these libraries working with CHICKEN is a pretty good step towards making R7RS compatibility a trivial effort. Cheers, and let me know if (when?) you find any bugs, either in the installation / setup or otherwise. - -- Jeremy Steward -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXk9uvAAoJEKflx7ZMcbY7GCcP/3d3znISeSj/V6rOxTqQYamJ 7ElFkGwVfXYlI3AysBENPT2La4li2OYKEdRZPufxs7PCALBIWCX6DsmAGDKWvJZK 2FVpwYJ5ryooRBvl6lMt6wIOao8+69T4UDCaRYG9SkcHh8Y8q0h/TwHmKzqtHr0R w/totVBV32V6ESrnvgpx9KYEvdYEY6EpN2D7GQ2ncSuZZkMHi1CZq25JW6VlxPUG cCnvgLznULduf9unEvy/sN71kPLTTLiR6rEzJhX3kDgdnQlJx8VKkfaeyFGHqJX3 HKLtcCduIsiEXaJdh8AKHa0VxGMHLQZLnE7C2aoiDnMSXEXXQSH/6lgKZRb+Em4a ZvBTrFCuS2KYXxMoTB18jLK4pa++VsvK40CQS3CxaMywpa3ty2Y8iCN/+iUychfV /EqGDZI3I3Qy7tXcIfCrOEzmC8Ksrt0YmV6w3Mppa+yZXTM2NE4FhXGfj8p5kGZU u7azPsQZajRHpakUd+VauT0hHTdmLlBXXGbSKwQBsfBvCkdgOrl1seAyMfYIAQIE okskxuxtoNY3ZRG1a/uibMhQ+SeXxo5Jg8kLjfGakaM5XeutHrUXtHEtkNK6AcmJ Z52O6ctENBblt/2v0LUDQmyvFJkI0h7M6Xi1lczL85RKzS0xVlUb2rCPQJCvNUGy Fzjw2KSmEUoME8H1dzGT =kspH -END PGP SIGNATURE- ___ Chicken-users mailing list Chicken-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/chicken-users
Re: [Chicken-users] [SECURITY] spiffy-cgi-handlers and http-client updated to prevent "httpoxy" attack
Hi Peter!
Thanks for all your work on this!
> A vulnerability called "httpoxy" has been announced, which affects a
> lot of software (server _and_ client) which speaks the HTTP protocol,
> allowing a man in the middle attack to be made on servers. The
> spiffy-cgi-handlers and http-client eggs are also affected.
>
> In short, the CGI specification defines that all HTTP headers should be
> converted to environment variables, after uppercasing them and prefixing
> them with "HTTP_". Unfortunately, this allows an attacker to pass a
> (nonexistent) "Proxy:" header, which will then be converted to
> "HTTP_PROXY", which happens to be an environment variable which most
> HTTP client programs and libraries support as a way of telling them to
> route all requests through a proxy. See https://httpoxy.org for more
> information about this attack.
>
> The http-client egg is vulnerable to such an attack with the default
> value of "determine-proxy" (which is "determine-proxy-from-environment"),
> if it is used in a CGI program. This situation only occurs if this
> process is invoked by a HTTP server which converts the Proxy header as a
> HTTP_PROXY environment variable. The spiffy-cgi-handlers egg will do
> that in the default setup.
>
> If your CGI scripts are not using http-client, they may still be
> vulnerable depending on which HTTP client library or application
> you are using.
>
> These bugs have been fixed in http-client 0.10 and
> spiffy-cgi-handlers 0.5, so please update at your earliest convenience.
>
>
> If you are unable to update, both eggs provide sufficient hooks to fix
> this in user code, without patching the eggs:
>
> In spiffy-cgi-handlers, you can add ("HTTP_PROXY" . #f) to the
> cgi-default-environment parameter:
>
> (cgi-default-environment
>(cons '("HTTP_PROXY" . #f) (cgi-default-environment)))
>
> This has precedence over the dynamically determined environment list
> which converts the "Proxy" header to "HTTP_PROXY".
>
> In http-client, you can disable or override the determine-proxy parameter
> with a custom procedure:
>
> (use data-structures)
> (determine-proxy (constantly #f))
>
> The updated versions of spiffy-cgi-handlers and http-client should be
> available shortly.
>
> Kind regards,
> Peter Bex
>
>
>
> ___
> Chicken-users mailing list
> Chicken-users@nongnu.org
> https://lists.nongnu.org/mailman/listinfo/chicken-users
>
Regards,
@ndy
--
andy...@ashurst.eu.org
http://www.ashurst.eu.org/
0290 DA75 E982 7D99 A51F E46A 387A 7695 7EBA 75FF
signature.asc
Description: OpenPGP digital signature
___
Chicken-users mailing list
Chicken-users@nongnu.org
https://lists.nongnu.org/mailman/listinfo/chicken-users
Re: [Chicken-users] [Chicken-announce] [SECURITY] spiffy-cgi-handlers and http-client updated to prevent "httpoxy" attack
On Thu, Jul 21, 2016 at 08:21:38PM +0200, Peter Bex wrote: > These bugs have been fixed in http-client 0.10 and > spiffy-cgi-handlers 0.5, so please update at your earliest convenience. The spiffy-cgi-handlers bugs has been assigned CVE-2016-6286, and the http-client bug has been assigned CVE-2016-6287. Cheers, Peter signature.asc Description: Digital signature ___ Chicken-users mailing list Chicken-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/chicken-users
Re: [Chicken-users] CHICKEN meetup reminder
On Tue, 12 Jul 2016 11:11:05 +0200, Christian Kellermann wrote: > So arrange your travel today! I just booked my train tickets! I’ll be arriving at Nürnberg Hbf on thursday 22nd at 17:25 and leaving on sunday 25th at 16:00. ___ Chicken-users mailing list Chicken-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/chicken-users
