The Racket team recently became aware of a security vulnerability in the `racket/sandbox` library. Code evaluated using a sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow system functions to be controlled by the attacker, giving access to facilities intended to be restricted.
The official advisory is at https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c To address this vulnerability, anyone who uses a sandbox to evaluate untrusted code should upgrade to version 8.2. This includes all uses of the Handin server. For users of the Handin server, it now provides an API to restrict `require`s for uses of teaching languages. We strongly encourage using this API [1], which can prevent exploiting this bug as well as other problems that access to full Racket or other installed modules might expose. Feedback on this advisory, and any security issues discovered in Racket, is welcome at secur...@racket-lang.org [1] the `#:requires` argument to `make-evaluator`, or the `requires` arguments to `make-evaluator/submission` and similar. Sam, for the Racket team -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/CAK%3DHD%2BZ5rnpqW1g27AzSEOSfmLLGqr86GQzkmjaw4cc7xtD4QQ%40mail.gmail.com.
