|
| 1 | +# Haskell Security Response Team - 2025 April–June report |
| 2 | + |
| 3 | +The Haskell Security Response Team (SRT) is a volunteer organization |
| 4 | +within the Haskell Foundation that is building tools and processes |
| 5 | +to aid the entire Haskell ecosystem in assessing and responding to |
| 6 | +security risks. In particular, we maintain a [database][repo] of |
| 7 | +security advisories that can serve as a data source for security |
| 8 | +tooling. |
| 9 | + |
| 10 | +This report details the SRT activities for April–June 2025. |
| 11 | + |
| 12 | +[repo]: https://github.com/haskell/security-advisories |
| 13 | + |
| 14 | +The SRT is: |
| 15 | + |
| 16 | +- Fraser Tweedale |
| 17 | +- Gautier Di Folco |
| 18 | +- Lei Zhu |
| 19 | +- Mihai Maruseac |
| 20 | +- Montez Fitzpatrick |
| 21 | +- Tristan de Cacqueray |
| 22 | + |
| 23 | + |
| 24 | +## How to contact the SRT |
| 25 | + |
| 26 | +For assistance in coordinating a security response to newly |
| 27 | +discovered, high impact vulnerabilities, contact |
| 28 | +`[email protected]`. Due to limited resources, we can |
| 29 | +only coordinate embargoed disclosures for high impact |
| 30 | +vulnerabilities affecting current versions of core Haskell tools and |
| 31 | +libraries, or in other exceptional cases. |
| 32 | + |
| 33 | +You can submit lower-impact or historical vulnerabilities to the |
| 34 | +advisory database via a pull request to our [GitHub |
| 35 | +repository][repo]. |
| 36 | + |
| 37 | +You can also contact the SRT about non-advisory/security-response |
| 38 | +topics. We prefer public communication where possible. In most |
| 39 | +cases, [GitHub issues][gh-new-issue] are an appropriate forum. But |
| 40 | +the mail address is there if no other appropriate channel exists. |
| 41 | + |
| 42 | +[gh-new-issue]: https://github.com/haskell/security-advisories/issues/new/choose |
| 43 | + |
| 44 | + |
| 45 | +## ZuriHac trip report |
| 46 | + |
| 47 | +TODO - Tristan |
| 48 | + |
| 49 | + |
| 50 | +## Advisory database |
| 51 | + |
| 52 | +1 contemporary advisory and no historical advisories were published |
| 53 | +during the reporting period. |
| 54 | + |
| 55 | +2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) **remain** reserved |
| 56 | +for embargoed vulnerabilities, which will be published later. |
| 57 | + |
| 58 | +We urge community members to report any known security issues, |
| 59 | +including historical issues, that are not yet included in the |
| 60 | +database. |
| 61 | + |
| 62 | +### A note on the long-term embargoes |
| 63 | + |
| 64 | +HSEC-2024-0004 and HSEC-2024-0005 have been under embargo for a year |
| 65 | +now. Because of the long duration, it is appropriate for the SRT to |
| 66 | +provide some commentary about them. |
| 67 | + |
| 68 | +First, both of these issues affect the same component, but they are |
| 69 | +otherwise unrelated. |
| 70 | + |
| 71 | +Second, this is not a case of an unresponsive maintainer, but both |
| 72 | +issues are complex to resolve and the maintainers and stakeholders |
| 73 | +(including the SRT) are moving forward as best we can with our |
| 74 | +limited capacity. HSEC-2024-0004—the more severe of the two—is |
| 75 | +already partially mitigated. We hope (but cannot guarantee) that |
| 76 | +the mitigations can be completed and this advisory unembargoed in |
| 77 | +the coming months. HSEC-2024-0005 is less severe and has been |
| 78 | +deprioritised. We expect it will remain under embargo for longer |
| 79 | +still. |
| 80 | + |
| 81 | +Finally, we want to assure the community that keeping these issues |
| 82 | +under embargo until the mitigations are complete is the best course |
| 83 | +of action, even though it is taking a long time. There are no |
| 84 | +specific mitigation steps we can reveal to the community at this |
| 85 | +time. If you have questions or concerns, please get in touch with |
| 86 | +the SRT. |
| 87 | + |
| 88 | + |
| 89 | +## OCaml Security Team |
| 90 | + |
| 91 | +The OCaml Software Foundation is establishing the OCaml Security |
| 92 | +Team. They reached out to the Haskell SRT and we have shared our |
| 93 | +experiences and ideas. Congratulations to the OCaml community on |
| 94 | +this important step. We look forward to an open exchange of |
| 95 | +information and ideas between our teams. |
| 96 | + |
| 97 | + |
| 98 | +## Spurious web security report |
| 99 | + |
| 100 | +During the reporting period we received a spurious report (possibly |
| 101 | +auto-generated) about HTTP directory listing being enabled on |
| 102 | +https://haskell.org. We assessed the impact as negligible. |
| 103 | + |
| 104 | +In any case, this is a good opportunity to remind our community that |
| 105 | +Haskell project infrastructure (sites, services, etc) are within the |
| 106 | +SRT's purview, in addition to the library ecosystem. If you uncover |
| 107 | +any actual or potential security issues, please contact the SRT. |
| 108 | + |
| 109 | + |
| 110 | +## Tooling updates |
| 111 | + |
| 112 | +- Gautier implemented a `purl` ([Package URL]) library, and updated |
| 113 | + the `osv` library to use this new type. We will publish it on |
| 114 | + Hackage soon. |
| 115 | + |
| 116 | +[Package URL]: https://github.com/package-url/purl-spec/blob/main/PURL-SPECIFICATION.rst |
0 commit comments