Bugzilla – Bug 1193877
VUL-0: CVE-2021-32773: racket: incorrect code evaluation may lead to privileges escalation
Last modified: 2022-01-21 09:01:30 UTC
Code evaluated using the Racket sandbox could cause system modules to incorrectly use attacker-created modules instead of their intended dependencies. This could allow system functions to be controlled by the attacker, giving access to facilities intended to be restricted. For systems that provide arbitrary Racket evaluation, external sandboxing such as containers limit the impact of the problem. For multi-user evaluation systems, such as the `handin-server` system, it is not possible to work around this problem and upgrading is required.
- openSUSE:Backports:SLE-15-SP2/racket 7.3
- openSUSE:Backports:SLE-15-SP3/racket 7.3
Please update them to a non vulnerable version (>= 8.2).
The devel/misc/racket has been upgraded to 8.3. The TW racket package has been brought up to date as well. But it looks like https://build.opensuse.org/package/show/openSUSE:Backports:SLE-15-SP2/racket is maintained by different people. After having a quick look, they don't have a history of receiving requests. How should we proceed? Maybe cc them?
I added Max Lin as he recently upgraded racket for openSUSE:Backports:SLE-15-SP4 .
security updates should be submitted against openSUSE:Backports:SLE-15-SP2:Update
(please use "obs sm racket" to show the valid current targets)