From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#27462: OCaml CVE-2015-8869 Date: Sat, 24 Jun 2017 12:03:04 -0400 Message-ID: <20170624160304.GA10364@jasmine.lan> References: <20170623164129.GA4417@jasmine.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:57347) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dOnXa-0006EH-6C for bug-guix@gnu.org; Sat, 24 Jun 2017 12:04:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dOnXX-0005vK-2T for bug-guix@gnu.org; Sat, 24 Jun 2017 12:04:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:33171) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dOnXW-0005tH-GQ for bug-guix@gnu.org; Sat, 24 Jun 2017 12:04:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dOnXW-0003lh-20 for bug-guix@gnu.org; Sat, 24 Jun 2017 12:04:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ben Woodcroft Cc: 27462@debbugs.gnu.org --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote: > On 24/06/17 02:41, Leo Famulari wrote: > > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched > > in the primary ocaml package in April 2016. Unfortunately, this patch > > was not included when the ocaml-4.01 package was created in January > > 2017. > >=20 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8869 > >=20 > > Do we need this older version of OCaml? If so, we need a volunteer to > > maintain it. >=20 > Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to bui= ld > pplacer, a bioinformatics program. I was planning on submitting 3 further > bioinformatic packages soon which rely on pplacer, however. >=20 > I'm not sure I have the bandwidth to backport patches to such an old > release, especially since the OCaml maintainers do not appear to be eithe= r, > AFAICS. >=20 > This is a little frustrating, but perhaps they should be removed. WDYT? That is a last resort :) We should check if another distro has a patch for OCaml 4.01, if we can backport the patch, if pplacer can use a newer OCaml, and only then consider removing the packages. --AqsLC8rIMeq19msA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllOjTUACgkQJkb6MLrK fwgSKQ//aoiWbnyCnqhrYiyAuLIzKqeETBMkJ6pC15WwSkVhbgevPtS8lwh5h/4P zQVzjF6GaWv4Z5R0CmeJj4bJfEAmy/KVF8jmYt7k5RLm1xPMQwTB5sPMDrxJYP2A 9ulznVmgaCNu3OMS/RbbF/oir5w5wDpvfSUR2gQYgv+rmKaFnyasHcj8NuORYzPU mn91KRvyvGspxrN0a2c1lC7GxHOPP25BhOH0drj2qw7vsYqciS8TWKYD2z2JXOKD AAsTg/5V49SI77sQiNcb+DP4pLSfRhnRoAHmJofY+1RPfVBds32XUUkH27G22ra6 2kod8G/bFi5howelqkJue3WjOF+xhh9rC/4NaDDZfHEgpMF5Jb7QjWLA+b3Gv1Xd Ti57UYHLCCbT1/9g4q1XOzwhd2QVAucNgZPf6b5MwFneQpdk/fzB5579piq0MscI mgxjL2yLz8smyRi5s/4z2V8HCizhxjqnxQA8d4p0g5O6qZSp8nrNu1oeeptGWfb1 bVVeciwBjKHpTYAqkqp4BQ7ydr2zSj0anj+75AgrA+nDMISuALuFZAHjAsMDOCdi ftfqI21rNlxFwyEkHJ6fcPyUPrmj8rL/qiCcRZWvi+RlMvxekIRpEaUl7d3YP8uA 7ptVtpSffUoiMHnBipJlo9CSs/htOPwflB22C97ApmkHh0nVPhc= =Vk0b -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA--