Lisplog

Blogging in Lisp

Search

Feed Aggregator

Rendered on Wed, 22 Mar 2017 22:01:57 GMT  newer latest older 
Next udpate: Wed, 22 Mar 2017 22:30:00 GMT feeds

Reporting a Security Issue in Erlang/OTP

via Erlang.org News RSS by on Tue, 21 Mar 2017 00:00:00 GMT

img src=http://www.erlang.org/upload/news/

Reporting a Security Issue in Erlang/OTP

Please follow this document in order to report the issues regarding security in Erlang/OTP. Please do not create a public issue for a security issue.

When should you report a security issue?

The risk level is often determined by a product of the impact once exploited, and the probability of exploitation occurring. In other words, if a bug can cause great damage, but it takes highest privilege to exploit the bug, then the bug is not a high risk one. Similarly, if the bug is easily exploitable, but its impact is limited, then it is not a high risk issue either.

 

There is not any hard and fast rule to determine if a bug is worth reporting as a security issue to erlang-security [at] erlang [dot] org. A general rule is that an attack by someone that has no access to the Erlang application or its system can affect the confidentiality, integrity and availability.

 

What happens after the report?

All security bugs in the Erlang/OTP distribution should be reported to erlang-security [at] erlang [dot] org. Your report will be handled by a small security team at the OTP team. Your email will be acknowledged as soon as we start handling the issue.

 

Please use a descriptive email title for your report. After the initial response to your report, the security team will keep you updated on the progress and decision being made towards a fix and release announcement.

 

Flagging Existing Issues as Security-related

If you believe that an existing public issue on bugs.erlang.org is security-related, we ask that you send an email to erlang-security [at] erlang [dot] org. The email title should contain the issue ID on bugs.erlang.org (e.g. Flagging security issue ERL-001). Please include a short description to motivate why it should be handled according to the security policy.

Erlang/OTP 19.3 has been released

via Erlang.org News RSS by on Wed, 15 Mar 2017 00:00:00 GMT

img src=http://www.erlang.org/upload/news/

Some highlights for 19.3

  • crypto, ssh: The implementation of the key exchange algorithms diffie-hellman-group-exchange-sha* are optimized, up to a factor of 11 for the slowest ( = biggest and safest) group size.
  • dialyzer: The peak memory consumption is reduced.
    Analyzing modules with binary construction with huge strings is now much faster.
  • erts: A received SIGTERM signal to beam will generate a 'stop' message to the init process and terminate the Erlang VM nicely. This is equivalent to calling init:stop/0.
  • kernel: The functions in the 'file' module that take a list of paths (e.g. file:path_consult/2) will now continue to search in the path if the path contains something that is not a directory.
    Two OTP processes that are known to receive many messages are 'rex' (used by 'rpc') and 'error_logger'. Those processes will now store unprocessed messages outside the process heap, this will improve their capability to handle large message queues.
  • public_key: New function pkix_verify_hostname/2,3 Implements certificate hostname checking. See the manual and RFC 6125.
  • public_key, ssh: The ssh host key fingerprint generation now also takes a list of algorithms and returns a list of corresponding fingerprints. See public_key:ssh_hostkey_fingerprint/2 and the option silently_accept_hosts in ssh:connect.
  • ssl: Move PEM cache to a dedicated process, to avoid making the SSL manager process a bottleneck. This improves scalability of TLS connections.
  • stdlib: filename:safe_relative_path/1 to sanitize a relative path has been added.
  • Thanks to more than 20 different contributors

You can find the README and the full listing of changes for this service release at
http://www.erlang.org/download/otp_src_19.3.readme
The Erlang/OTP source can also be found at GitHub on the official Erlang repository,
https://github.com/erlang/otp with tag OTP-19.3

Please report any new issues via Erlang/OTPs public issue tracker

https://bugs.erlang.org

We want to thank all of those who sent us patches, suggestions and bug reports!

Thank you!

The Erlang/OTP Team at Ericsson

McCLIM: Progress report #6

via Planet Lisp by on Tue, 14 Mar 2017 01:00:00 GMT

Dear Community,

I owe you apologies for skipping reports in the meantime. Since January I'm not withdrawing money from our fundraiser thanks to other paid work, which means we have budget for more bounties. Keep in mind, that doesn't mean any work has ceased from my side.

During this iteration I was preparing a paper^1 for the upcoming European Lisp Symposium^2. Unfortunately it wasn't good enough to be accepted.

I'm still working on a tutorial and demo application mentioned in the paper proposal. During that bugs and incompatibilities get fixed and pull requests are accepted. When questions arise on IRC or mailing list I try to answer them.

As a reminder: we have two active bounties at the moment:

Suggestions which other issues should have a bounty on them are appreciated and welcome.

If you have any questions, doubts or suggestions - please contact me either by email (daniel@turtleware.eu) or on IRC (my nick is jackdaniel).

Sincerely yours,
Daniel Kochmański

Nick Levine: enlivend @ 2017-03-09T08:52:00

via Planet Lisp by on Thu, 09 Mar 2017 07:52:18 GMT

My domain lisp-book.org expires in two months (on 2017-05-07). I do not intend to renew it. The material which it serves will remain available via http://nicklevine.org/lisp-book/

If anyone wishes to inherit the domain from me and put it to better use, they should get in touch.

Zach Beane: BALisp - YouTube

via Planet Lisp by on Wed, 08 Mar 2017 20:25:06 GMT

BALisp - YouTube:

There are a bunch of new videos as of yesterday.

BALisp - YouTube

via Zach Beane Common Lisp by on Wed, 08 Mar 2017 20:25:06 GMT

BALisp - YouTube:

There are a bunch of new videos as of yesterday.

Nathan Froyd: nibbles and ironclad releases

via Planet Lisp by on Tue, 07 Mar 2017 12:12:00 GMT

I have released new versions of nibbles (0.13) and ironclad (0.34). They are available from their respective tags in their github repositories; I have not created tarballs for them. Ironclad, in particular, has many new features; please see the NEWS files for both packages for some of the changes.

This is also an appropriate time to announce that I will no longer be maintaining nibbles, ironclad, nor any of my other Common Lisp packages. This has been the de facto state of affairs for several years now; we might as well make it official.

Quicklisp news: Quicklisp client update: bundling local-projects

via Planet Lisp by on Mon, 06 Mar 2017 15:45:00 GMT

The Quicklisp library bundle feature has been around for a while.  It creates a "bundle" of libraries from Quicklisp that can be used standalone, without loading or using Quicklisp at all.

Today, I published an updated client with a new bundle feature: if :include-local-projects is true, everything in Quicklisp's ql:*local-project-directories* is copied into the bundle and made available when the bundle is loaded.

To get this update, use (ql:update-client). The new code will be loaded when Lisp is restarted.

This work was commissioned by Rigetti Computing.

If you have Quicklisp feature needs, feel free to get in touch with me!


Improving Ember app page load times using the App Shell model

via DockYard blog by Marten Schilstra on Fri, 17 Feb 2017 00:00:00 GMT

Experimenting with the App Shell model to make the DockYard.com website load faster

Making a DDAU checkbox list in Ember.js

via DockYard blog by Nico Mihalich on Fri, 18 Nov 2016 00:00:00 GMT

Use Data Down, Actions Up to create a simple Checkbox List UI element in Ember

 newer latest older