Harelang users, update your Hare (CVE-2026-43923)
"Runxi Yu discovered a vulnerability affecting all versions of Hare prior to 0.26.0.1 which affects programs which have the "setuid" or "setgid" bits set in their file mode. The vulnerability allows an attacker to cause these programs to misbehave by writing data intended for stdout/stderr to other open files, potentially corrupting files with garbage or manipulating the program into writing attacker-supplied data to certain files ... A survey of known open-source Hare programs found that Hare programs which ship with the setuid bit are rare. Moreover, these programs are not believed to be exploitable as a result of this issue"
https://lists.sr.ht/~sircmpwn/hare-announce/%3CDIAKVMZYSWM2.319DZSFVJ2LK4@ddevault.org%3E
