[Haskell-cafe] ANN: Important lambabot update (5.0.2.1 release)
Bertram Felgenhauer
bertram.felgenhauer at googlemail.com
Sun May 3 14:27:54 UTC 2015
Hi,
I've just released lambdabot-5.0.2.1 which plugs an embarrassing
security hole in the @check command; if you are running lambdabot as an
IRC bot, you should upgrade!
Generally, lambdabot relies on SafeHaskell and not running user-supplied
IO actions for safety. This is unlikely to be bullet-proof, so it's
advisable to sandbox mueval. However, the @check command violated this
basic principle, and allowed running arbitrary IO actions. This is now
fixed by using the (new) QuickCheck-safe package that only uses
unsafePerformIO for the specific purposes of catching exceptions and
generating the initial seed for random number generation.
Thanks to benzfr on Freenode for finding this!
There are a few minor changes. Notably, we now ship compiler-specific
versions of Pristine.hs so that lambdabot runs out of the box on both
ghc-7.6.3 and ghc-7.8.3 (ghc-7.10.1 still needs some work.) and the
dict plugin no longer supports looking up several words at once.
Cheers,
Bertram
P.S. As I just realized, I forgot to update the Changelog that comes
with lambdabot... will try to remember next time.
More information about the Haskell-Cafe
mailing list