The Racket team recently became aware of a security vulnerability in
the `racket/sandbox` library. Code evaluated using a sandbox could
cause system modules to incorrectly use attacker-created modules
instead of their intended dependencies. This could allow system
functions to be controlled by the attacker, giving access to
facilities intended to be restricted.
The official advisory is at
https://github.com/racket/racket/security/advisories/GHSA-cgrw-p7p7-937c
To address this vulnerability, anyone who uses a sandbox to evaluate
untrusted code should upgrade to version 8.2. This includes all uses
of the Handin server.
For users of the Handin server, it now provides an API to restrict
`require`s for uses of teaching languages. We strongly encourage using
this API [1], which can prevent exploiting this bug as well as other
problems that access to full Racket or other installed modules might
expose.
Feedback on this advisory, and any security issues discovered in
Racket, is welcome at
secu...@racket-lang.org
[1] the `#:requires` argument to `make-evaluator`, or the `requires`
arguments to `make-evaluator/submission` and similar.
Sam, for the Racket team