• Haskell Security Response Team (SRT): A volunteer org within Haskell Foundation building tools & processes. Maintains database of security advisories.
• SRT Contacts: For high impact vuln responses, contact security-advisories@haskell.org. Submit lower-impact/vhistorical vulns via pull req to GitHub repo. Can also contact about non-advisory topics; GitHub issues preferred.
• Advisory Database: 1 contemporary and 1 historical advisory added during Jan-Mar 2024. 1 HSEC ID reserved for embargoed vuln. Urge community to submit known sec issues.
• Security Risks of Bundled/Vendored C Code: [HSEC-2024-0002] affected several packages due to bundled C sources. Resolved by introducing [bzip2-clib], making future updates easier. Need better identification of such libraries.
• liblzma / xz utils backdoor: Discovered attack via malicious code in xz/liblzma (CVE-2024-3094). [lzma] binds to system lib; affected if system package was affected. [lzma-clib] and [lzma-static] bundle upstream sources before attack, so unaffected.
• SRT at Haskell Ecosystem Workshop and ZuriHac 2024: Gautier, Fraser (maybe Mihai) will attend. Fraser will present to give orientation on tooling, share ideas & propose new work. Encourage attendance.
• Introducing cabal-audit: Thanks to MangoIV, cabal-audit will be merged. Runs Cabal solver, looks for vulns & proposes fix versions. Eventually want cabal-install to have native audit.
• HTML index and atom feed: In addition to [OSV.dev], generate HTML index at Haskell Security.Advisories.Core and add atom feed. Want better hosting & appearance.
• Tooling Updates: Advisories now support capec field for recording CAPEC data. Introduced hsec-sync command for synchronising local cache. Will publish libraries on Hackage soon with useful packages like cvss, cwe, osv & hsec-core.