Abandoned vincenthz packages

[ysangkok]

Mandatory information:

• Package : I think the most notable are memory, foundation, basement
• cvss: 8
• affected versions: Latest, and given that the packages are abandoned, no new release will ever happen.

Long description:

The packages by Vincent have been abandoned with known issues. Given that these packages are commonly used in networked applications, I think it would be prudent to use official communication channels to note that these packages have serious unpatched issues, some of which may already be triggerable from the network.

For example, here is an infinite loop discovered by GHC devs, which was identified and never addressed. The repo is now archived so the issue will presumably never get fixed: haskell-foundation/foundation#570

Neil Mitchell pointed out another issue: haskell-foundation/foundation#447

[Kleidukos]

Related: haskell-infra/hackage-trustees#396

[frasertweedale]

Thanks for notifying us. SRT will begin working through this. If there are any other specific known issues in these packages, please drop them in comments here.

[Bodigrim]

W.r.t. security, cryptonite is suboptimal because of kazu-yamamoto/crypton#22, fixed in crypton.

[frasertweedale]

W.r.t. security, cryptonite is suboptimal because of kazu-yamamoto/crypton#22, fixed in crypto

This particular issue seems somewhat tenuous. If the entropy from getRandomBytes is compromised, hashing it doesn't help. I think this comment from the discussion sums it up well: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/WFRDl8DqYQ4/m/_YZ_HcvwAwAJ.

There already are strong reasons to move from cryptonite to crypton. The number of reasons will grow, and some of those reasons may warrant a security advisory. But this one doesn't.

(SRT still needs to work through the other issues raised in this ticket).