* bug#27462: OCaml CVE-2015-8869
@ 2017-06-23 16:41 Leo Famulari
2017-06-24 0:25 ` Ben Woodcroft
` (2 more replies)
0 siblings, 3 replies; 11+ messages in thread
From: Leo Famulari @ 2017-06-23 16:41 UTC (permalink / raw)
To: 27462
[-- Attachment #1: Type: text/plain, Size: 362 bytes --]
Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
in the primary ocaml package in April 2016. Unfortunately, this patch
was not included when the ocaml-4.01 package was created in January
2017.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
Do we need this older version of OCaml? If so, we need a volunteer to
maintain it.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#27462: OCaml CVE-2015-8869
2017-06-23 16:41 bug#27462: OCaml CVE-2015-8869 Leo Famulari
@ 2017-06-24 0:25 ` Ben Woodcroft
2017-06-24 16:03 ` Leo Famulari
2019-01-31 16:57 ` Andreas Enge
2019-07-05 12:12 ` Julien Lepiller
2 siblings, 1 reply; 11+ messages in thread
From: Ben Woodcroft @ 2017-06-24 0:25 UTC (permalink / raw)
To: Leo Famulari, 27462
Hi Leo,
On 24/06/17 02:41, Leo Famulari wrote:
> Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> in the primary ocaml package in April 2016. Unfortunately, this patch
> was not included when the ocaml-4.01 package was created in January
> 2017.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
>
> Do we need this older version of OCaml? If so, we need a volunteer to
> maintain it.
Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to
build pplacer, a bioinformatics program. I was planning on submitting 3
further bioinformatic packages soon which rely on pplacer, however.
I'm not sure I have the bandwidth to backport patches to such an old
release, especially since the OCaml maintainers do not appear to be
either, AFAICS.
This is a little frustrating, but perhaps they should be removed. WDYT?
ben
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#27462: OCaml CVE-2015-8869
2017-06-24 0:25 ` Ben Woodcroft
@ 2017-06-24 16:03 ` Leo Famulari
0 siblings, 0 replies; 11+ messages in thread
From: Leo Famulari @ 2017-06-24 16:03 UTC (permalink / raw)
To: Ben Woodcroft; +Cc: 27462
[-- Attachment #1: Type: text/plain, Size: 1186 bytes --]
On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote:
> On 24/06/17 02:41, Leo Famulari wrote:
> > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> > in the primary ocaml package in April 2016. Unfortunately, this patch
> > was not included when the ocaml-4.01 package was created in January
> > 2017.
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
> >
> > Do we need this older version of OCaml? If so, we need a volunteer to
> > maintain it.
>
> Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build
> pplacer, a bioinformatics program. I was planning on submitting 3 further
> bioinformatic packages soon which rely on pplacer, however.
>
> I'm not sure I have the bandwidth to backport patches to such an old
> release, especially since the OCaml maintainers do not appear to be either,
> AFAICS.
>
> This is a little frustrating, but perhaps they should be removed. WDYT?
That is a last resort :)
We should check if another distro has a patch for OCaml 4.01, if we can
backport the patch, if pplacer can use a newer OCaml, and only then
consider removing the packages.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#27462: OCaml CVE-2015-8869
2017-06-23 16:41 bug#27462: OCaml CVE-2015-8869 Leo Famulari
2017-06-24 0:25 ` Ben Woodcroft
@ 2019-01-31 16:57 ` Andreas Enge
2019-01-31 17:21 ` Andreas Enge
2019-01-31 17:26 ` swedebugia
2019-07-05 12:12 ` Julien Lepiller
2 siblings, 2 replies; 11+ messages in thread
From: Andreas Enge @ 2019-01-31 16:57 UTC (permalink / raw)
To: 27462
Hello,
this bug has been open for quite a while, and the development of pplacer seems
to be stalled, with the latest commit in May 2018, and no reaction whatsoever
to Ben's bug report
https://github.com/matsen/pplacer/issues/354
How should we continue? Are people using the software, or should we maybe
remove it?
Andreas
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#27462: OCaml CVE-2015-8869
2019-01-31 16:57 ` Andreas Enge
@ 2019-01-31 17:21 ` Andreas Enge
2019-01-31 17:30 ` Julien Lepiller
2019-01-31 17:26 ` swedebugia
1 sibling, 1 reply; 11+ messages in thread
From: Andreas Enge @ 2019-01-31 17:21 UTC (permalink / raw)
To: 27462
On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
> Are people using the software
I suppose not, because one of its dependencies currently does not build:
...
phase `ocaml-findlib-environment' succeeded after 0.0 seconds
starting phase `configure'
build directory: "/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"
running 'configure' with arguments ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
Backtrace:
5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")
In ice-9/eval.scm:
191:35 4 (_ _)
In srfi/srfi-1.scm:
863:16 3 (every1 #<procedure 6ef100 at /gnu/store/vnbx61brdhy87…> …)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:
799:28 2 (_ _)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:
55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags …)
In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:
616:6 0 (invoke _ . _)
/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6: In procedure invoke:
Throw to key `srfi-34' with args `(#<condition &invoke-error [program: "./configure" arguments: ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0") exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.
builder for `/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv' failed with exit code 1
build of /gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv failed
...
Shall we remove all the ocaml-4.01 universe? The next step would be 4.02,
it appears that the CVE is solved with 4.03 only:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
"OCaml before 4.03.0 does not properly handle..."
Andreas
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#27462: OCaml CVE-2015-8869
2019-01-31 17:21 ` Andreas Enge
@ 2019-01-31 17:30 ` Julien Lepiller
2019-02-19 22:17 ` Andreas Enge
0 siblings, 1 reply; 11+ messages in thread
From: Julien Lepiller @ 2019-01-31 17:30 UTC (permalink / raw)
To: 27462, andreas
Le 31 janvier 2019 18:21:13 GMT+01:00, Andreas Enge <andreas@enge.fr> a écrit :
>On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
>> Are people using the software
>
>I suppose not, because one of its dependencies currently does not
>build:
>
>...
>phase `ocaml-findlib-environment' succeeded after 0.0 seconds
>starting phase `configure'
>build directory:
>"/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"
>running 'configure' with arguments ("-prefix"
>"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
>Backtrace:
> 5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")
>In ice-9/eval.scm:
> 191:35 4 (_ _)
>In srfi/srfi-1.scm:
> 863:16 3 (every1 #<procedure 6ef100 at /gnu/store/vnbx61brdhy87…> …)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:
> 799:28 2 (_ _)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:
> 55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags …)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:
> 616:6 0 (invoke _ . _)
>
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6:
>In procedure invoke:
>Throw to key `srfi-34' with args `(#<condition &invoke-error [program:
>"./configure" arguments: ("-prefix"
>"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
>exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.
>builder for
>`/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv'
>failed with exit code 1
>build of
>/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv
>failed
>...
>
>Shall we remove all the ocaml-4.01 universe? The next step would be
>4.02,
>it appears that the CVE is solved with 4.03 only:
>
>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
> "OCaml before 4.03.0 does not properly handle..."
>
>Andreas
I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 without breaking dependents.
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#27462: OCaml CVE-2015-8869
2019-01-31 17:30 ` Julien Lepiller
@ 2019-02-19 22:17 ` Andreas Enge
2019-02-20 8:39 ` Julien Lepiller
0 siblings, 1 reply; 11+ messages in thread
From: Andreas Enge @ 2019-02-19 22:17 UTC (permalink / raw)
To: Julien Lepiller; +Cc: 27462
On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote:
> I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 without breaking dependents.
Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and
4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer and
all other dependent packages.
Is ocaml@4.02 really needed? It would be nice to get rid of a package
with CVE.
Andreas
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#27462: OCaml CVE-2015-8869
2019-02-19 22:17 ` Andreas Enge
@ 2019-02-20 8:39 ` Julien Lepiller
2019-02-20 11:27 ` Andreas Enge
0 siblings, 1 reply; 11+ messages in thread
From: Julien Lepiller @ 2019-02-20 8:39 UTC (permalink / raw)
To: Andreas Enge; +Cc: 27462
Le 19 février 2019 23:17:52 GMT+01:00, Andreas Enge <andreas@enge.fr> a écrit :
>On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote:
>> I still care about ocaml-4.02, but I could probably update it to
>ocaml-4.04 without breaking dependents.
>
>Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and
>4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer and
>all other dependent packages.
>
>Is ocaml@4.02 really needed? It would be nice to get rid of a package
>with CVE.
>
>Andreas
At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer?
Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#27462: OCaml CVE-2015-8869
2019-02-20 8:39 ` Julien Lepiller
@ 2019-02-20 11:27 ` Andreas Enge
0 siblings, 0 replies; 11+ messages in thread
From: Andreas Enge @ 2019-02-20 11:27 UTC (permalink / raw)
To: Julien Lepiller; +Cc: 27462
On Wed, Feb 20, 2019 at 09:39:20AM +0100, Julien Lepiller wrote:
> At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer?
>
> Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…
I understand! Waiting a bit more should be okay given how long this bug
is already open... Or packaging a current snapshot of bap (with suitable
numbering as laid out, I think, in the documentation, so that users
will upgrade automatically from the current version over the snapshot to
the next released version).
Thanks,
Andreas
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#27462: OCaml CVE-2015-8869
2019-01-31 16:57 ` Andreas Enge
2019-01-31 17:21 ` Andreas Enge
@ 2019-01-31 17:26 ` swedebugia
1 sibling, 0 replies; 11+ messages in thread
From: swedebugia @ 2019-01-31 17:26 UTC (permalink / raw)
To: 27462
On 2019-01-31 17:57, Andreas Enge wrote:
> Hello,
>
> this bug has been open for quite a while, and the development of pplacer seems
> to be stalled, with the latest commit in May 2018, and no reaction whatsoever
> to Ben's bug report
> https://github.com/matsen/pplacer/issues/354
>
> How should we continue? Are people using the software, or should we maybe
> remove it?
Remove sounds good to me.
--
Cheers Swedebugia
^ permalink raw reply [flat|nested] 11+ messages in thread
* bug#27462: OCaml CVE-2015-8869
2017-06-23 16:41 bug#27462: OCaml CVE-2015-8869 Leo Famulari
2017-06-24 0:25 ` Ben Woodcroft
2019-01-31 16:57 ` Andreas Enge
@ 2019-07-05 12:12 ` Julien Lepiller
2 siblings, 0 replies; 11+ messages in thread
From: Julien Lepiller @ 2019-07-05 12:12 UTC (permalink / raw)
To: 27462-done
Ocaml-4.02 was removed a few months ago in c3634df2 but I forgot to close this bug report.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2019-07-05 12:13 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-23 16:41 bug#27462: OCaml CVE-2015-8869 Leo Famulari
2017-06-24 0:25 ` Ben Woodcroft
2017-06-24 16:03 ` Leo Famulari
2019-01-31 16:57 ` Andreas Enge
2019-01-31 17:21 ` Andreas Enge
2019-01-31 17:30 ` Julien Lepiller
2019-02-19 22:17 ` Andreas Enge
2019-02-20 8:39 ` Julien Lepiller
2019-02-20 11:27 ` Andreas Enge
2019-01-31 17:26 ` swedebugia
2019-07-05 12:12 ` Julien Lepiller
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).