We are pleased to announce GNU Guile release 2.0.13, the next maintenance release for the 2.0.x stable series, containing important security fixes. This release contains 44 commits by 11 people over 4 months.
Guile is an implementation of the Scheme programming language. It is designed to help programmers create flexible applications that can be extended by users or other programmers with plug-ins, modules, or scripts. With Guile you can create applications and games for the desktop, the Web, the command-line, and more. See https://gnu.org/software/guile/ for more information. In parallel the Guile development team has been hard at work on the next stable series, which we hope will see a stable release within the next couple months. Inquisitive users should see the recent 2.1.4 release notes at https://lists.gnu.org/archive/html/guile-user/2016-09/msg00042.html for a preview of our future stable series. ======================================================================== Here are the compressed sources: ftp://ftp.gnu.org/gnu/guile/guile-2.0.13.tar.gz (7.5MB) ftp://ftp.gnu.org/gnu/guile/guile-2.0.13.tar.lz (4.2MB) ftp://ftp.gnu.org/gnu/guile/guile-2.0.13.tar.xz (4.6MB) Here are the GPG detached signatures[*]: ftp://ftp.gnu.org/gnu/guile/guile-2.0.13.tar.gz.sig ftp://ftp.gnu.org/gnu/guile/guile-2.0.13.tar.lz.sig ftp://ftp.gnu.org/gnu/guile/guile-2.0.13.tar.xz.sig Use a mirror for higher download bandwidth: http://www.gnu.org/order/ftp.html Here are the MD5 and SHA1 checksums: dac267e76330176d48583258aeaa7016 guile-2.0.13.tar.gz b71b9e9b7356b139f3e73fef8f15ac7c guile-2.0.13.tar.lz d50bbb19672b72aa1e1c96e8f024bf00 guile-2.0.13.tar.xz efd3f9769d04b51803ea4ebcbfd7b6add1d419e6 guile-2.0.13.tar.gz 829bf94d8cca95d3a6dc0a898567da06c623a036 guile-2.0.13.tar.lz 627f7b5004f01b7e2c074e03fff3eda235c0d9ab guile-2.0.13.tar.xz [*] Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify guile-2.0.13.tar.gz.sig If that command fails because you don't have the required public key, then run this command to import it: gpg --keyserver pgp.mit.edu --recv-keys 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 and rerun the 'gpg --verify' command. This release was bootstrapped with the following tools: Autoconf 2.69 Automake 1.15 Libtool 2.4.6 Makeinfo 6.3 Gnulib v0.1-800-g68b6ade ======================================================================== Changes in 2.0.13 (since 2.0.12): * Security fixes ** CVE-2016-8606: REPL server now protects against HTTP inter-protocol attacks Guile 2.x provides a "REPL server" started by the '--listen' command-line option or equivalent API (see "REPL Servers" in the manual). The REPL server is vulnerable to the HTTP inter-protocol attack as described at <https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the HTML form protocol attack described at <https://www.jochentopf.com/hfpa/hfpa.pdf>. A "DNS rebinding attack" can be combined with this attack and allow an attacker to send arbitrary Guile code to the REPL server through web pages accessed by the developer, even though the REPL server is listening to a loopback device ("localhost"). This was demonstrated in an article entitled "How to steal any developer's local database" available at <http://bouk.co/blog/hacking-developers/>. The REPL server in Guile 2.0.13 now detects attempts to exploit this vulnerability. It immediately closes the connection when it receives a line that looks like an HTTP request. Nevertheless, we recommend binding the REPL server to a Unix-domain socket, for instance by running: guile --listen=/tmp/guile-socket ** CVE-2016-8605: 'mkdir' procedure no longer calls umask(2) (<http://bugs.gnu.org/24659>) When the second argument to the 'mkdir' procedure was omitted, it would call umask(0) followed by umask(previous_umask) and apply the umask to mode #o777. This was unnecessary and a security issue for multi-threaded applications: during a small window the process' umask was set to zero, so other threads calling mkdir(2) or open(2) could end up creating world-readable/writable/executable directories or files. * New interfaces ** mkstemp! takes optional "mode" argument See "File System" in the manual, for more. ** New 'scm_to_uintptr_t' and 'scm_from_uintptr_t' C functions * Bug fixes ** Fix optimizer bug when compiling fixpoint operator ** Fix build error on MinGW ** Update 'uname' implementation on MinGW ** 'port-encoding' and 'set-port-encoding!' ensure they are passed an open port ** (system base target) now recognizes Alpha as a cross-compilation target ======================================================================== You can follow Guile development in the Git repository and on the Guile mailing lists. Note that Guile builds from the 'master' branch of Git have version number 2.1.x; the stable release series can be had from 'stable-2.0'. Guile versions with an odd middle number, e.g., 2.1.*, are unstable development versions. Even middle numbers indicate stable versions. This has been the case since the 1.3.* series. Please report bugs to bug-gu...@gnu.org. We also welcome reports of successful builds, which can be sent to the same email address. Happy hacking with Guile! Ludovic, on behalf of the Guile team.
signature.asc
Description: PGP signature
-- If you have a working or partly working program that you'd like to offer to the GNU project as a GNU package, see https://www.gnu.org/help/evaluation.html.