[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-announce] [ANN] Official CHICKEN security policy

From: Peter Bex
Subject: [Chicken-announce] [ANN] Official CHICKEN security policy
Date: Fri, 8 Feb 2013 14:25:25 +0100
User-agent: Mutt/

Hello Schemers!

Recently a few security vulnerabilities have been found and fixed in
CHICKEN.  In order to more effectively keep track of the state of our
security, the CHICKEN Team has decided to adopt an official policy.
As always, we've tried to keep things as simple and as informal as
possible, to ensure our small core team can cope with this.

The most immediately useful part of this policy for users is that
we will request CVE (Common Vulnerabilities and Exposures) identifiers
in order to better track vulnerabilities across time.  This will make
it easier for OS packagers and users to know when it's time to upgrade
to newer versions and what the consequences are of not doing so.
Especially for business-critical uses of CHICKEN this is essential.
There are also plenty of security tools which use the CVE database as
a common ground for detecting issues.  For more info see

For security researchers, we've created a wiki page describing how
to report vulnerabilities and how we will respond:
There's also a new e-mail address for reporting vulnerabilities:
To stay informed about security issues, you can also subscribe to the
recently created low-volume chicken-announce mailinglist.

Below you'll find a list of the CVE identifiers we've requested for
the vulnerabilities that have been fixed:

CVE-2012-6122: select() buffer overrun (fixed in and 4.8.2), see

CVE-2012-6123: Poisoned NUL byte injection (fixed in 4.8.0), see

CVE-2012-6124: Broken randomization procedure on 64-bit platforms
(fixed in 4.8.0), see

CVE-2012-6125: Vulnerability to algorithmic complexity attacks due to
hash table collisions (fixed in 4.8.0), see

These have been added to the NEWS file in both the master and stability/4.8.0

Kind regards,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]