On Sat, Oct 29, 2016 at 07:46:53PM +0100, Marius Bakke wrote: > David Craven writes: > > > * gnu/packages/flex.scm (flex-2.6.1): New variable. > > This is newer than what we currently have (2.6.0). I know it's late in > the core-updates cycle, but maybe we can squeeze in a flex upgrade? Unfortunately, changing flex will cause ~1500 rebuilds per architecture, so I think we won't do it unless there is some very serious problem. Also see commit eba7fab890f43 on core-updates, which fixes a bug (CVE-2016-6354) that allow DOS and potentially arbitrary code execution in code generated by flex. Updating flex to the latest version should happen in the next core-updates, or possibly in an earlier staging / security-updates cycle.