GNU Guile, an implementation of the Scheme language, provides a "REPL server" which is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is started by the '--listen' command-line option or equivalent API. It was reported that the REPL server is vulnerable to the HTTP inter-protocol attack This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network. Applications that do not run a REPL server, as is usually the case, are unaffected. References: http://seclists.org/oss-sec/2016/q4/100 Upstream patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03
Created compat-guile18 tracking bugs for this issue: Affects: fedora-all [bug 1383974] Affects: epel-7 [bug 1383975]
Created guile tracking bugs for this issue: Affects: fedora-all [bug 1383973]
It seems the repl server was added in guile-2.0, so the compat-guile18 packages shouldn't be affected.
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.