The Haskell Security Response Team (SRT) is a volunteer organization within the Haskell Foundation that is building tools and processes to aid the entire Haskell ecosystem in assessing and responding to security risks. In particular, we maintain a database of security advisories that can serve as a data source for security tooling.
This report details the SRT activities from July through October 2024. We extended this reporting period by one month to include the results of our recent Call for Volunteers.
The SRT is:
- Fraser Tweedale
- Gautier Di Folco
- Lei Zhu (new!)
- Mihai Maruseac
- Montez Fitzpatrick (new!)
- Tristan de Cacqueray
How to contact the SRT
For assistance in coordinating a security response to newly discovered, high impact vulnerabilities, contact security-advisories@haskell.org. Due to limited resources, we can only coordinate embargoed disclosures for high impact vulnerabilities affecting current versions of core Haskell tools and libraries, or in other exceptional cases.
You can submit lower-impact or historical vulnerabilities to the advisory database via a pull request to our GitHub repository.
You can also contact the SRT about non-advisory/security-response topics. We prefer public communication where possible. In most cases, GitHub issues are an appropriate forum. But the mail address is there if no other appropriate channel exists.
Growing the SRT
Following our mid-year decision to grow the SRT, José on behalf of the SRT published a Call for Volunteers. Applications closed at the end of September, with 4 applications received. Thank you to all applicants! We accepted 2 of the proposals, having in mind the long term sustainability of the SRT as a volunteer organisation (i.e. we should avoid burning the willing volunteers all at once!)
The new members of the SRT are:
-
Lei Zhu, who brings experience with web security, Linux security, privacy regulations and threat analysis. Lei has also contributed to HLS, vscode-haskell, and related projects, and maintains the array package.
-
Montez Fitzpatrick has a breadth of cybersecurity experience across two decades. As CISO of a healthcare company, GRC is his current focus. He has used Haskell professionally to build tooling for cybersecurity tasks.
Welcome to the team!
Advisory database
1 contemporary advisory was published during the reporting period.
0 historical advisories were added during the reporting period.
2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) remain reserved for embargoed vulnerabilities, which will be published later.
Additionally, HSEC-2024-0003 received substantive updates, because it was discovered that the original fix was incomplete.
We ask community members to report any known security issues, including historical issues, that are not yet included.
haskell.org Apache security update
In early August bug hunter Divya Singh (Dgirlwhohacks) notified the SRT that the version of Apache httpd serving haskell.org was vulnerable to CRLF injection. We escalated the issue to the Haskell Infrastructure Admins, and Gershom Bazerman promptly resolved the issue by upgrading Apache. Thanks to Divya for reporting, and Gershom for fixing the issue.
hackage-server “Reporting Vulnerabilities” link
Gautier implemented a Reporting Vulnerabilities link on package pages in hackage-server (pull request #1292). The change has been deployed on hackage.haskell.org. For now it links to CONTRIBUTING.md in the haskell/security-advisories GitHub repository.
In the future we would like to improve the contributor experience (e.g. a web form). But this small change is a big improvement because it alerts users that they can report security issues.
Tooling updates
-
CVSS 4.0 support is stalled. andrii (@unorsk) did significant initial work, and Fraser is reviewing, iterating and integrating it. CVSS 4.0 is much more complex than previous versions, and parts of the specification are ambiguous. We hope to finish the implementation and release updates around the end of year.
-
Hécate is working on integrating security advisory data in flora-server (pull request). They engaged the SRT for review (Gautier answered the call).
-
Because Flora indexes Haskell packages from namespaces beyond Hackage (e.g. Cardano), there is an ask (#240) to extend the Advisory DB data model and tooling to support additional namespaces. We have agreed on the approach but we have not started implementing it.
-
Mihai has been following the work by Janus Troelsen to add Haskell support to Renovate, an automated dependency update tool.