wither the Platform

Michael Snoyman michael at snoyman.com
Mon Mar 23 15:54:55 UTC 2015


On Mon, Mar 23, 2015 at 5:21 PM Brandon Allbery <allbery.b at gmail.com> wrote:

> On Mon, Mar 23, 2015 at 11:19 AM, Richard Eisenberg <eir at cis.upenn.edu>
> wrote:
>
>> - "It's always out-of-date." This statement, while true, isn't a direct
>> indication that something is wrong.
>
>
> "Perception is reality". The period when the Platform went without an
> update for over a year because we were waiting on ghc 6.8.3 did a lot to
> ruin the Platform's reputation.
>
>
>
I hate to bring this up, but it's not just a historical issue. The version
of attoparsec used by the platform today forces an old version of aeson to
be used (0.6.2.1). The combination of that aeson and attoparsec version is
vulnerable to an incredibly severe DoS attack for specially crafted JSON
strings (e.g., {"foo":1e100000000000000000000000}). In fact, just a few
weeks ago I sent a private email to someone about a massive vulnerability
in a service (obviously not going to point out which one).

Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/libraries/attachments/20150323/6bf4bd63/attachment.html>


More information about the Libraries mailing list