Bug#841495: marked as done (guile: REPL server vulnerable to HTTP inter-protocol attacks)

[Debian Bug Tracking System]

Your message dated Fri, 21 Oct 2016 19:23:35 +0200
with message-id <20161021172335.rnbz2465jw6d3vsw@eldamar.local>
and subject line Re: Bug#841495: guile: REPL server vulnerable to HTTP 
inter-protocol attacks
has caused the Debian Bug report #841495,
regarding guile: REPL server vulnerable to HTTP inter-protocol attacks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
841495: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841495
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: guile-1.8
Severity: normal
Tags: security

GNU Guile, an implementation of the Scheme language, provides a "REPL server" 
which is a command prompt that developers can connect to for live coding and 
debugging purposes. The REPL server is started by the '--listen' command-line 
option or equivalent API.

It was  reported that the REPL server is vulnerable to the HTTP inter-protocol 
attack

This constitutes a remote code execution vulnerability for developers running a 
REPL server that listens on a loopback device or private network. Applications 
that do not run a REPL server, as is usually the case, are unaffected.

References:

http://seclists.org/oss-sec/2016/q4/100

Upstream patch:

http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03

--- End Message ---

--- Begin Message ---

On Fri, Oct 21, 2016 at 10:57:59AM +0300, Matanya Moses wrote:
> Package: guile-1.8
> Severity: normal
> Tags: security
> 
> GNU Guile, an implementation of the Scheme language, provides a
> "REPL server" which is a command prompt that developers can connect
> to for live coding and debugging purposes. The REPL server is
> started by the '--listen' command-line option or equivalent API.
> 
> It was  reported that the REPL server is vulnerable to the HTTP
> inter-protocol attack
> 
> This constitutes a remote code execution vulnerability for
> developers running a REPL server that listens on a loopback device
> or private network. Applications that do not run a REPL server, as
> is usually the case, are unaffected.

The REPL server was only introduced in the 2.0 series. The
CVE-2016-8606 is tracked already with #840555 for guile-2.0.

Regards,
Salvatore

--- End Message ---