[Chicken-announce] [ANN] Official CHICKEN security policy

chicken-announce

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-announce] [ANN] Official CHICKEN security policy

From:	Peter Bex
Subject:	[Chicken-announce] [ANN] Official CHICKEN security policy
Date:	Fri, 8 Feb 2013 14:25:25 +0100
User-agent:	Mutt/1.4.2.3i

Hello Schemers!

Recently a few security vulnerabilities have been found and fixed in
CHICKEN.  In order to more effectively keep track of the state of our
security, the CHICKEN Team has decided to adopt an official policy.
As always, we've tried to keep things as simple and as informal as
possible, to ensure our small core team can cope with this.

The most immediately useful part of this policy for users is that
we will request CVE (Common Vulnerabilities and Exposures) identifiers
in order to better track vulnerabilities across time.  This will make
it easier for OS packagers and users to know when it's time to upgrade
to newer versions and what the consequences are of not doing so.
Especially for business-critical uses of CHICKEN this is essential.
There are also plenty of security tools which use the CVE database as
a common ground for detecting issues.  For more info see
https://cve.mitre.org/about/index.html

For security researchers, we've created a wiki page describing how
to report vulnerabilities and how we will respond:
http://wiki.call-cc.org/security
There's also a new e-mail address for reporting vulnerabilities:
address@hidden
To stay informed about security issues, you can also subscribe to the
recently created low-volume chicken-announce mailinglist.

Below you'll find a list of the CVE identifiers we've requested for
the vulnerabilities that have been fixed:

CVE-2012-6122: select() buffer overrun (fixed in 4.8.0.1 and 4.8.2), see
http://lists.nongnu.org/archive/html/chicken-users/2012-06/msg00031.html

CVE-2012-6123: Poisoned NUL byte injection (fixed in 4.8.0), see
http://lists.nongnu.org/archive/html/chicken-users/2012-09/msg00004.html

CVE-2012-6124: Broken randomization procedure on 64-bit platforms
(fixed in 4.8.0), see
http://lists.nongnu.org/archive/html/chicken-hackers/2012-02/msg00084.html

CVE-2012-6125: Vulnerability to algorithmic complexity attacks due to
hash table collisions (fixed in 4.8.0), see
http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00020.html

These have been added to the NEWS file in both the master and stability/4.8.0
branches.

Kind regards,
The CHICKEN Team

[Prev in Thread]

Current Thread

[Next in Thread]

[Chicken-announce] [ANN] Official CHICKEN security policy, Peter Bex <=

Prev by Date: [Chicken-announce] [ANN] Chicken 4.8.0.1 on the meta-chicken layer for OpenEmbedded
Next by Date: [Chicken-announce] Chicken 4.8.0.2 released
Previous by thread: [Chicken-announce] [ANN] Chicken 4.8.0.1 on the meta-chicken layer for OpenEmbedded
Next by thread: [Chicken-announce] Chicken 4.8.0.2 released
Index(es):
- Date
- Thread