Haskell Security Response Team - 2025 January–March report

The Haskell Security Response Team (SRT) is a volunteer organization within the Haskell Foundation that is building tools and processes to aid the entire Haskell ecosystem in assessing and responding to security risks. In particular, we maintain a database of security advisories that can serve as a data source for security tooling.

This report details the SRT activities for January–March 2025.

The SRT is:

  • Fraser Tweedale
  • Gautier Di Folco
  • Lei Zhu
  • Mihai Maruseac
  • Montez Fitzpatrick
  • Tristan de Cacqueray

How to contact the SRT

For assistance in coordinating a security response to newly discovered, high impact vulnerabilities, contact security-advisories@haskell.org. Due to limited resources, we can only coordinate embargoed disclosures for high impact vulnerabilities affecting current versions of core Haskell tools and libraries, or in other exceptional cases.

You can submit lower-impact or historical vulnerabilities to the advisory database via a pull request to our GitHub repository.

You can also contact the SRT about non-advisory/security-response topics. We prefer public communication where possible. In most cases, GitHub issues are an appropriate forum. But the mail address is there if no other appropriate channel exists.

Haskell Security Response Team at ZuriHac + Ecosystem Workshop

Gautier will represent the SRT at ZuriHac and the Haskell Ecosystem Workshop (June 5–9). This is a great opportunity to collaborate on Haskell security tooling, either in person in Zürich or virtually.

If you have a particular project or collaboration idea, please share it in the planning issue (#272).

Conference presentation: Security response for open source ecosystems

Fraser presented at CrikeyCon, a cybersecurity conference in Brisbane, Australia. The talk Security response for open source ecosystems explains why open source security matters and how to start and run a security response team, based on his experiences with the Haskell SRT.

The slide deck is available now. Video of the presentation should appear on the CrikeyCon YouTube channel at some point.

Advisory database

3 contemporary advisories were published during the reporting period.

2 historical advisories were added during the reporting period.

2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) remain reserved for embargoed vulnerabilities, which will be published later.

We ask community members to report any known security issues, including historical issues, that are not yet included.

Advisories for the GHC toolchain

Following preparatory work last year, 2025-Q1 saw the publication of the first advisories for components of the GHC toolchain itself. To declare a GHC component as affected in an advisory, set the ghc-component field (cf. package for the Hackage namespace):

[[affected]]
ghc-component = "ghc"

The valid ghc-component values are: ghc, ghci, rts, ghc-pkg, runghc, ghc-iserv, hp2ps, hpc, hsc2hs, and haddock.

We registered the GHC namespace in the OSV schema. Advisories can be browsed on OSV.dev: OSV - Open Source Vulnerabilities.

Tooling updates

  • Gautier updated our tooling to build with GHC 9.10 and 9.12 support. This involved switching our Atom feed generation from the unmaintained feed library to atom-conduit.
11 Likes