On Mon, Mar 23, 2015 at 5:21 PM Brandon Allbery <allber...@gmail.com> wrote:
> On Mon, Mar 23, 2015 at 11:19 AM, Richard Eisenberg <e...@cis.upenn.edu>
> wrote:
>
>> - "It's always out-of-date." This statement, while true, isn't a direct
>> indication that something is wrong.
>
>
> "Perception is reality". The period when the Platform went without an
> update for over a year because we were waiting on ghc 6.8.3 did a lot to
> ruin the Platform's reputation.
>
>
>
I hate to bring this up, but it's not just a historical issue. The version
of attoparsec used by the platform today forces an old version of aeson to
be used (0.6.2.1). The combination of that aeson and attoparsec version is
vulnerable to an incredibly severe DoS attack for specially crafted JSON
strings (e.g., {"foo":1e100000000000000000000000}). In fact, just a few
weeks ago I sent a private email to someone about a massive vulnerability
in a service (obviously not going to point out which one).
Michael
_______________________________________________
ghc-devs mailing list
ghc-devs@haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs
