Status of Haskell Platform 2014.2.0.0

Bryan O'Sullivan bos at
Tue Jul 15 20:59:38 UTC 2014

On Tue, Jul 15, 2014 at 1:43 PM, Mark Lentczner <mark.lentczner at>

> This is rather late to hear this... given that I plan to Alpha this
> weekend or sooner.
> Can you quantify the security fixes? Do they only revolve around floats?

Well, it was rather late to hear that you weren't going to upgrade
attoparsec, too ;-)

In brief, an attacker can DoS a user of attoparsec by handing them a
floating point number with a sufficiently large exponent (e.g.
1e1000000000). This will cause it to try to create an Integer with the
given number of digits, thus possibly OOMing a machine or crashing a
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Libraries mailing list