Thank you for letting us know. ~slg
-------- Original Message -------- On Jul 19, 2021, 2:35 PM, Sam Tobin-Hochstadt wrote: > The Racket team recently became aware of a security vulnerability in > the `racket/sandbox` library. Code evaluated using a sandbox could > cause system modules to incorrectly use attacker-created modules > instead of their intended dependencies. This could allow system > functions to be controlled by the attacker, giving access to > facilities intended to be restricted. > > The official advisory is at > https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c > > To address this vulnerability, anyone who uses a sandbox to evaluate > untrusted code should upgrade to version 8.2. This includes all uses > of the Handin server. > > For users of the Handin server, it now provides an API to restrict > `require`s for uses of teaching languages. We strongly encourage using > this API [1], which can prevent exploiting this bug as well as other > problems that access to full Racket or other installed modules might > expose. > > Feedback on this advisory, and any security issues discovered in > Racket, is welcome at [email protected] > > [1] the `#:requires` argument to `make-evaluator`, or the `requires` > arguments to `make-evaluator/submission` and similar. > > Sam, for the Racket team > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/CAK%3DHD%2BZ5rnpqW1g27AzSEOSfmLLGqr86GQzkmjaw4cc7xtD4QQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/d2foR8gQSc68pALp0iYCn13f6Uq5iEXHu4h9sT8hseKEhnoYGgpYi1sd2Lbmj0CiM4CT-HckGaMt5TdW7hw1wgy9E8Rm1iiuOunKlEvETqU%3D%40sagegerard.com.
