wither the Platform

Michael Snoyman michael at snoyman.com
Mon Mar 23 15:54:55 UTC 2015

On Mon, Mar 23, 2015 at 5:21 PM Brandon Allbery <allbery.b at gmail.com> wrote:

> On Mon, Mar 23, 2015 at 11:19 AM, Richard Eisenberg <eir at cis.upenn.edu>
> wrote:
>> - "It's always out-of-date." This statement, while true, isn't a direct
>> indication that something is wrong.
> "Perception is reality". The period when the Platform went without an
> update for over a year because we were waiting on ghc 6.8.3 did a lot to
> ruin the Platform's reputation.
I hate to bring this up, but it's not just a historical issue. The version
of attoparsec used by the platform today forces an old version of aeson to
be used ( The combination of that aeson and attoparsec version is
vulnerable to an incredibly severe DoS attack for specially crafted JSON
strings (e.g., {"foo":1e100000000000000000000000}). In fact, just a few
weeks ago I sent a private email to someone about a massive vulnerability
in a service (obviously not going to point out which one).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/libraries/attachments/20150323/6bf4bd63/attachment.html>

More information about the Libraries mailing list