From unknown Mon Jun 23 22:04:49 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#27462 <27462@debbugs.gnu.org> To: bug#27462 <27462@debbugs.gnu.org> Subject: Status: OCaml CVE-2015-8869 Reply-To: bug#27462 <27462@debbugs.gnu.org> Date: Tue, 24 Jun 2025 05:04:49 +0000 retitle 27462 OCaml CVE-2015-8869=20 reassign 27462 guix submitter 27462 Leo Famulari severity 27462 normal tag 27462 security thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 23 12:41:49 2017 Received: (at submit) by debbugs.gnu.org; 23 Jun 2017 16:41:49 +0000 Received: from localhost ([127.0.0.1]:34687 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOReX-0005YS-77 for submit@debbugs.gnu.org; Fri, 23 Jun 2017 12:41:49 -0400 Received: from eggs.gnu.org ([208.118.235.92]:47529) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOReV-0005YF-QX for submit@debbugs.gnu.org; Fri, 23 Jun 2017 12:41:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dOReP-00080F-TL for submit@debbugs.gnu.org; Fri, 23 Jun 2017 12:41:42 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:49297) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dOReP-000809-Px for submit@debbugs.gnu.org; Fri, 23 Jun 2017 12:41:41 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38493) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dOReO-0002up-MT for bug-guix@gnu.org; Fri, 23 Jun 2017 12:41:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dOReL-0007y7-Ct for bug-guix@gnu.org; Fri, 23 Jun 2017 12:41:40 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:46793) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dOReL-0007wO-5k for bug-guix@gnu.org; Fri, 23 Jun 2017 12:41:37 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 5C5242086A; Fri, 23 Jun 2017 12:41:32 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Fri, 23 Jun 2017 12:41:32 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=omD FSVGWCgnhbXNAdQuos+RlS1DZcsIn1OSVEOhUduM=; b=G5A5oG3XYcDANC7LWjJ 8b2emM6SafJ+Y/MWTh9a7NHrCUTU6cw2cH0lHxnflObLdDDmvcY3JuxU3krrP2ZL Z+NVcwR46eeXC12i/uxqgaITSQAuUfbUCjovMFTYjqLNRqPVLa9BXzKip4ROSvqo eLQHMUjW76dn+JmsWNuyEeS4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=omDFSVGWCgnhbXNAdQuos+RlS1DZcsIn1OSVEOhUd uM=; b=g9a2p1YL2cegO3oZIi1oWpkMBOAHDaOtZGEYnVb6cs4lfsCVG085hS7Mn Cq5eNGIqh1WWsdwu4goEEAGT41xHvMQuuT48x5fwFmO2svnVWROB2hr222FaxVso qrd7uHRD/LOpGuhJcKdX8Hrm0OI41hOc8etvAqVZbvtk3mblmF6FmQOKh3Q0CKLt U5PfxEBym+bb6qf8v7i5bnGt3tTSeHsagY4uSR9BHqv+G+932QSgv9ETWvaFzo+8 FDlfyWMud2TwxAbUCyT+k98H1U7NR5UtnNkbV51vv3UTT25tILFpVIRhKTTXENsY 8ylAeMKdGBI+4yiCp2mA3r0lXbTXA== X-ME-Sender: X-Sasl-enc: DoeiwOnrFryMdJ0vQqyDZTbz4exkyejlb9w/UPqOg9qZ 1498236092 Received: from localhost (unknown [128.64.129.7]) by mail.messagingengine.com (Postfix) with ESMTPA id 12BB07E74F for ; Fri, 23 Jun 2017 12:41:32 -0400 (EDT) Date: Fri, 23 Jun 2017 12:41:29 -0400 From: Leo Famulari To: bug-guix@gnu.org Subject: OCaml CVE-2015-8869 Message-ID: <20170623164129.GA4417@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="n8g4imXOkfNTN/H1" Content-Disposition: inline User-Agent: Mutt/1.8.3 (2017-05-23) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) --n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched in the primary ocaml package in April 2016. Unfortunately, this patch was not included when the ocaml-4.01 package was created in January 2017. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 Do we need this older version of OCaml? If so, we need a volunteer to maintain it. --n8g4imXOkfNTN/H1 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllNRLkACgkQJkb6MLrK fwj7iBAApfFEXyT3GtGhl6f1H2JaDeFv6ckXtJ+fn2ZZIEtD3sC7x3dyRhZekDKz cPRv9GHwB7jdmrNm9xwlYrWs58t3hE7k2u8+bBVGdoPruysyt3z+FY3VGyr3WG8r FPqNLYKK+V2iPEibehBg1s0Y8+V1oYDUQoa5Za2lNvQCimt0cZ6pT+W519bqqckG eywFYUnT80dKR5B1IOUoSVip0pK9cSoVBpA6tZzB+HzUYN+A/HgRsIUf3pCskpbS BwFAC4ySCGjiexxIgAw/yQNmRSem8JpIRxlZ3UOqwjN9yW76H0ZY0AQWT56VVvsl LFAuOXy91lDjV4x0kzcvhfUgMyRgDPLBO70fi3tiasKvp650f57Ur8AJ1Wb1eTfw Lip2hzoj/dpSp/ynFqWP0HPwErb6jEObYapByKtz7LpWb7hBPy9bmgA9TFYri+Wt tjpIeOpn7DMRQ0ynOZdlGEJhW75eyj5CyDCf4g1+sNbk67faBAnflPFKxm51g0Mk UiLmkMa1v2lM6fMHsgY7tVid2mBbczbO0ItuuCJ8SEyTdTXHIf6pB3IhYAnZ72dr eK+Bbx7J3qEJYAkINHmfKsvDv8l0OUQ9+3wJa6U9GyawVSlTaUzkuxgN+vYB/IYB aFUmaihSG7+fK8i7iGcV7mgPtyMUbvJdpi0ODWz95I5BfJ2YUGU= =xkqn -----END PGP SIGNATURE----- --n8g4imXOkfNTN/H1-- From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 23 20:26:04 2017 Received: (at 27462) by debbugs.gnu.org; 24 Jun 2017 00:26:04 +0000 Received: from localhost ([127.0.0.1]:34952 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOYto-0008G2-7H for submit@debbugs.gnu.org; Fri, 23 Jun 2017 20:26:04 -0400 Received: from mailhub2.soe.uq.edu.au ([130.102.132.209]:35672 helo=newmailhub.uq.edu.au) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOYtl-0008Fb-9d for 27462@debbugs.gnu.org; Fri, 23 Jun 2017 20:26:02 -0400 Received: from smtp1.soe.uq.edu.au (smtp1.soe.uq.edu.au [10.138.113.40]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id v5O0PtGl003082; Sat, 24 Jun 2017 10:25:57 +1000 Received: from [192.168.1.105] (static.customers.nuskope.com.au [103.25.181.216] (may be forged)) (authenticated bits=0) by smtp1.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id v5O0Prvp026879 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 24 Jun 2017 10:25:54 +1000 Subject: Re: bug#27462: OCaml CVE-2015-8869 To: Leo Famulari , 27462@debbugs.gnu.org References: <20170623164129.GA4417@jasmine.lan> From: Ben Woodcroft Message-ID: Date: Sat, 24 Jun 2017 10:25:52 +1000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: <20170623164129.GA4417@jasmine.lan> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-UQ-FilterTime: 1498263958 X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 27462 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hi Leo, On 24/06/17 02:41, Leo Famulari wrote: > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched > in the primary ocaml package in April 2016. Unfortunately, this patch > was not included when the ocaml-4.01 package was created in January > 2017. > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 > > Do we need this older version of OCaml? If so, we need a volunteer to > maintain it. Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build pplacer, a bioinformatics program. I was planning on submitting 3 further bioinformatic packages soon which rely on pplacer, however. I'm not sure I have the bandwidth to backport patches to such an old release, especially since the OCaml maintainers do not appear to be either, AFAICS. This is a little frustrating, but perhaps they should be removed. WDYT? ben From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 24 12:03:12 2017 Received: (at 27462) by debbugs.gnu.org; 24 Jun 2017 16:03:12 +0000 Received: from localhost ([127.0.0.1]:35847 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOnWh-0003kd-UC for submit@debbugs.gnu.org; Sat, 24 Jun 2017 12:03:12 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:42381) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOnWe-0003kR-6z for 27462@debbugs.gnu.org; Sat, 24 Jun 2017 12:03:09 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 8A495206F0; Sat, 24 Jun 2017 12:03:07 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sat, 24 Jun 2017 12:03:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=3kZWJY3K1CdLCtEGjaMzzYknAYoBC1nzYTOMy9 aLjI4=; b=OnmVQ1N3h0rZOt6gaPjBQFXe+Qw+oSOCyIrrV9B7b8TQsdVchvgp35 c2hFI35DUdnkTXHVmC1D6B/NVRyQSpneLQeQpnr1o6rCy8tfCSIf/zBovNYDYrJM CnaiYc6KHG12Cm/mPEmw4lMEbALb9ZL4jVDhDHtV9VRg4r2Q2ibQY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=3kZWJY3K1CdLCtEGja MzzYknAYoBC1nzYTOMy9aLjI4=; b=gX5O+LId6vnf4sIVBUE30C5TDZzpy8klPI UvGe7DrCgNAxB5/LW1SfLGdx8NQhX5NhroNKWiAomibh735Fz+lFRCbzFvj2RRRl zs85DfbE3eU3Nv9zLX0KhR+CNdaSGm20On2K7vkaYT4Di3U/xO/bhrCbbzNtS+Xs My6Vygv96Ono35ACEUSv0ulPzl73bRH7h7GFBwfLqGY6Omc9YX78xXRNETgrPUe9 X/+DlcU5t6DLmJI3NSZnrx5d6ZcB7ct29lRVMTqI59c4fZr6wIvhV3HOZRgsqr/r udg9zCPpKXoV8FXtTonG9I6ERaiLzo0Tm6AFvoQHbH5wmOSLHpGw== X-ME-Sender: X-Sasl-enc: 7nJa4b3uWLj5Bho5WcwDVXKa2hTUWLVgecUvb3g6PM+o 1498320187 Received: from localhost (unknown [128.64.129.7]) by mail.messagingengine.com (Postfix) with ESMTPA id 49D0524370; Sat, 24 Jun 2017 12:03:07 -0400 (EDT) Date: Sat, 24 Jun 2017 12:03:04 -0400 From: Leo Famulari To: Ben Woodcroft Subject: Re: bug#27462: OCaml CVE-2015-8869 Message-ID: <20170624160304.GA10364@jasmine.lan> References: <20170623164129.GA4417@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 27462 Cc: 27462@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote: > On 24/06/17 02:41, Leo Famulari wrote: > > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched > > in the primary ocaml package in April 2016. Unfortunately, this patch > > was not included when the ocaml-4.01 package was created in January > > 2017. > >=20 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8869 > >=20 > > Do we need this older version of OCaml? If so, we need a volunteer to > > maintain it. >=20 > Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to bui= ld > pplacer, a bioinformatics program. I was planning on submitting 3 further > bioinformatic packages soon which rely on pplacer, however. >=20 > I'm not sure I have the bandwidth to backport patches to such an old > release, especially since the OCaml maintainers do not appear to be eithe= r, > AFAICS. >=20 > This is a little frustrating, but perhaps they should be removed. WDYT? That is a last resort :) We should check if another distro has a patch for OCaml 4.01, if we can backport the patch, if pplacer can use a newer OCaml, and only then consider removing the packages. --AqsLC8rIMeq19msA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllOjTUACgkQJkb6MLrK fwgSKQ//aoiWbnyCnqhrYiyAuLIzKqeETBMkJ6pC15WwSkVhbgevPtS8lwh5h/4P zQVzjF6GaWv4Z5R0CmeJj4bJfEAmy/KVF8jmYt7k5RLm1xPMQwTB5sPMDrxJYP2A 9ulznVmgaCNu3OMS/RbbF/oir5w5wDpvfSUR2gQYgv+rmKaFnyasHcj8NuORYzPU mn91KRvyvGspxrN0a2c1lC7GxHOPP25BhOH0drj2qw7vsYqciS8TWKYD2z2JXOKD AAsTg/5V49SI77sQiNcb+DP4pLSfRhnRoAHmJofY+1RPfVBds32XUUkH27G22ra6 2kod8G/bFi5howelqkJue3WjOF+xhh9rC/4NaDDZfHEgpMF5Jb7QjWLA+b3Gv1Xd Ti57UYHLCCbT1/9g4q1XOzwhd2QVAucNgZPf6b5MwFneQpdk/fzB5579piq0MscI mgxjL2yLz8smyRi5s/4z2V8HCizhxjqnxQA8d4p0g5O6qZSp8nrNu1oeeptGWfb1 bVVeciwBjKHpTYAqkqp4BQ7ydr2zSj0anj+75AgrA+nDMISuALuFZAHjAsMDOCdi ftfqI21rNlxFwyEkHJ6fcPyUPrmj8rL/qiCcRZWvi+RlMvxekIRpEaUl7d3YP8uA 7ptVtpSffUoiMHnBipJlo9CSs/htOPwflB22C97ApmkHh0nVPhc= =Vk0b -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 27 08:25:45 2017 Received: (at control) by debbugs.gnu.org; 27 Jul 2017 12:25:45 +0000 Received: from localhost ([127.0.0.1]:58002 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dahrN-0004D0-F3 for submit@debbugs.gnu.org; Thu, 27 Jul 2017 08:25:45 -0400 Received: from eggs.gnu.org ([208.118.235.92]:58854) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dahrL-0004Cb-Qe for control@debbugs.gnu.org; Thu, 27 Jul 2017 08:25:43 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dahrG-00013e-2w for control@debbugs.gnu.org; Thu, 27 Jul 2017 08:25:38 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:55963) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dahrF-00012y-NE for control@debbugs.gnu.org; Thu, 27 Jul 2017 08:25:37 -0400 Received: from [193.50.110.224] (port=37438 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dahrE-0006KN-Gd for control@debbugs.gnu.org; Thu, 27 Jul 2017 08:25:37 -0400 Date: Thu, 27 Jul 2017 14:25:35 +0200 Message-Id: <87r2x23w3k.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #27462 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) tags 27462 security From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 31 11:57:26 2019 Received: (at 27462) by debbugs.gnu.org; 31 Jan 2019 16:57:26 +0000 Received: from localhost ([127.0.0.1]:53223 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gpFeY-0003jI-KB for submit@debbugs.gnu.org; Thu, 31 Jan 2019 11:57:26 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:42184) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gpFeW-0003j8-1I for 27462@debbugs.gnu.org; Thu, 31 Jan 2019 11:57:25 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 798B99A95; Thu, 31 Jan 2019 17:57:22 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Yoymwj22hNZ; Thu, 31 Jan 2019 17:57:21 +0100 (CET) Received: from jurong (cable-78.29.213.16.coditel.net [78.29.213.16]) by hera.aquilenet.fr (Postfix) with ESMTPSA id D3BE99A8E; Thu, 31 Jan 2019 17:57:20 +0100 (CET) Date: Thu, 31 Jan 2019 17:57:03 +0100 From: Andreas Enge To: 27462@debbugs.gnu.org Subject: OCaml CVE-2015-8869 Message-ID: <20190131165613.GA27597@jurong> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.11.0 (2018-11-25) X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 27462 Cc: Ben Woodcroft X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) Hello, this bug has been open for quite a while, and the development of pplacer seems to be stalled, with the latest commit in May 2018, and no reaction whatsoever to Ben's bug report https://github.com/matsen/pplacer/issues/354 How should we continue? Are people using the software, or should we maybe remove it? Andreas From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 31 12:21:20 2019 Received: (at 27462) by debbugs.gnu.org; 31 Jan 2019 17:21:20 +0000 Received: from localhost ([127.0.0.1]:53269 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gpG1g-0006Mn-47 for submit@debbugs.gnu.org; Thu, 31 Jan 2019 12:21:20 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:42668) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gpG1e-0006Mc-Bp for 27462@debbugs.gnu.org; Thu, 31 Jan 2019 12:21:19 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 0BDEE9ADC; Thu, 31 Jan 2019 18:21:16 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SzXagNsTqsYN; Thu, 31 Jan 2019 18:21:15 +0100 (CET) Received: from jurong (cable-78.29.213.16.coditel.net [78.29.213.16]) by hera.aquilenet.fr (Postfix) with ESMTPSA id E491B9A57; Thu, 31 Jan 2019 18:21:14 +0100 (CET) Date: Thu, 31 Jan 2019 18:21:13 +0100 From: Andreas Enge To: 27462@debbugs.gnu.org Subject: Re: OCaml CVE-2015-8869 Message-ID: <20190131172113.GA29071@jurong> References: <20190131165613.GA27597@jurong> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20190131165613.GA27597@jurong> User-Agent: Mutt/1.11.0 (2018-11-25) X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 27462 Cc: Ben Woodcroft X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote: > Are people using the software I suppose not, because one of its dependencies currently does not build: ... phase `ocaml-findlib-environment' succeeded after 0.0 seconds starting phase `configure' build directory: "/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0" running 'configure' with arguments ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0") Backtrace: 5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…") In ice-9/eval.scm: 191:35 4 (_ _) In srfi/srfi-1.scm: 863:16 3 (every1 # …) In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm: 799:28 2 (_ _) In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm: 55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags …) In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm: 616:6 0 (invoke _ . _) /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6: In procedure invoke: Throw to key `srfi-34' with args `(#)'. builder for `/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv' failed with exit code 1 build of /gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv failed ... Shall we remove all the ocaml-4.01 universe? The next step would be 4.02, it appears that the CVE is solved with 4.03 only: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 "OCaml before 4.03.0 does not properly handle..." Andreas From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 31 12:26:53 2019 Received: (at submit) by debbugs.gnu.org; 31 Jan 2019 17:26:53 +0000 Received: from localhost ([127.0.0.1]:53277 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gpG73-0006VV-5K for submit@debbugs.gnu.org; Thu, 31 Jan 2019 12:26:53 -0500 Received: from eggs.gnu.org ([209.51.188.92]:57356) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gpG71-0006VH-6r for submit@debbugs.gnu.org; Thu, 31 Jan 2019 12:26:51 -0500 Received: from lists.gnu.org ([209.51.188.17]:54410) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gpG6q-0005vI-38 for submit@debbugs.gnu.org; Thu, 31 Jan 2019 12:26:41 -0500 Received: from eggs.gnu.org ([209.51.188.92]:43492) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gpG6p-0000du-2E for bug-guix@gnu.org; Thu, 31 Jan 2019 12:26:39 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gpG6k-0005sZ-3n for bug-guix@gnu.org; Thu, 31 Jan 2019 12:26:36 -0500 Received: from mx1.riseup.net ([198.252.153.129]:35966) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gpG6f-0005rR-Vm for bug-guix@gnu.org; Thu, 31 Jan 2019 12:26:30 -0500 Received: from piha.riseup.net (piha-pn.riseup.net [10.0.1.163]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.riseup.net (Postfix) with ESMTPS id 92EC01A213F for ; Thu, 31 Jan 2019 09:26:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1548955588; bh=O76/vN7y6exs0eySvqy6nNoni1qZ2E1WZ00UsOmPTiI=; h=Subject:To:References:From:Date:In-Reply-To:From; b=fLv35C45a9uoD0SIXkqVRH4GwIJHaqH9GiXVnDsiUE/PrpJxmCF5G+fe8T2Q3J0J/ su4U0SEKS9GwjoVo9QfdUtRTRMI0cctd5hJP1bTLYlEDMauDDs01LwEaZKMoaxuflQ JpOgZP4Wh5G1UGCed6ffI6d2QL2eT4jhfJvg9NX4= X-Riseup-User-ID: AB19BCC14D55E46B5CDD90B7163CA2DB7DCCCC2A1B8A770644AEF899EFDEABD9 Received: from [127.0.0.1] (localhost [127.0.0.1]) by piha.riseup.net with ESMTPSA id E2FC81C1F90 for ; Thu, 31 Jan 2019 09:26:27 -0800 (PST) Subject: Re: bug#27462: OCaml CVE-2015-8869 To: bug-guix@gnu.org References: <20170623164129.GA4417@jasmine.lan> <20190131165613.GA27597@jurong> From: swedebugia Message-ID: <85366415-3259-b63d-556e-57cc651d8db7@riseup.net> Date: Thu, 31 Jan 2019 18:26:32 +0100 MIME-Version: 1.0 In-Reply-To: <20190131165613.GA27597@jurong> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 198.252.153.129 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) On 2019-01-31 17:57, Andreas Enge wrote: > Hello, > > this bug has been open for quite a while, and the development of pplacer seems > to be stalled, with the latest commit in May 2018, and no reaction whatsoever > to Ben's bug report > https://github.com/matsen/pplacer/issues/354 > > How should we continue? Are people using the software, or should we maybe > remove it? Remove sounds good to me. -- Cheers Swedebugia From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 31 12:30:57 2019 Received: (at submit) by debbugs.gnu.org; 31 Jan 2019 17:30:57 +0000 Received: from localhost ([127.0.0.1]:53289 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gpGAz-0006df-Ci for submit@debbugs.gnu.org; Thu, 31 Jan 2019 12:30:57 -0500 Received: from eggs.gnu.org ([209.51.188.92]:58432) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gpGAx-0006dP-R4 for submit@debbugs.gnu.org; Thu, 31 Jan 2019 12:30:56 -0500 Received: from lists.gnu.org ([209.51.188.17]:39710) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gpGAs-0007sX-Ki for submit@debbugs.gnu.org; Thu, 31 Jan 2019 12:30:50 -0500 Received: from eggs.gnu.org ([209.51.188.92]:44576) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gpGAr-0002H9-3F for bug-guix@gnu.org; Thu, 31 Jan 2019 12:30:50 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_00, RCVD_IN_BL_SPAMCOP_NET autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gpGAp-0007rD-MN for bug-guix@gnu.org; Thu, 31 Jan 2019 12:30:49 -0500 Received: from lepiller.eu ([2a00:5884:8208::1]:40642) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gpGAp-0007kX-Bx for bug-guix@gnu.org; Thu, 31 Jan 2019 12:30:47 -0500 Received: from [100.67.186.84] (slc-exit.privateinternetaccess.com [173.244.209.5]) by lepiller.eu (OpenSMTPD) with ESMTPSA id c1e3f02d (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Thu, 31 Jan 2019 17:30:36 +0000 (UTC) Date: Thu, 31 Jan 2019 18:30:27 +0100 User-Agent: K-9 Mail for Android In-Reply-To: <20190131172113.GA29071@jurong> References: <20190131165613.GA27597@jurong> <20190131172113.GA29071@jurong> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: bug#27462: OCaml CVE-2015-8869 To: bug-guix@gnu.org,Andreas Enge ,27462@debbugs.gnu.org From: Julien Lepiller Message-ID: <96513178-922C-49D6-AF32-0EF723343C8E@lepiller.eu> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:5884:8208::1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 1.2 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Le 31 janvier 2019 18:21:13 GMT+01:00, Andreas Enge a écrit : >On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote: >> Are people using the software > >I suppose not, becau [...] Content analysis details: (1.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.2 (/) Le 31 janvier 2019 18:21:13 GMT+01:00, Andreas Enge a = =C3=A9crit : >On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote: >> Are people using the software > >I suppose not, because one of its dependencies currently does not >build: > >=2E=2E=2E >phase `ocaml-findlib-environment' succeeded after 0=2E0 seconds >starting phase `configure' >build directory: >"/tmp/guix-build-ocaml4=2E01-gsl-1=2E22=2E0=2Edrv-0/gsl-1=2E22=2E0" >running 'configure' with arguments ("-prefix" >"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4=2E01-gsl-1=2E22=2E0") >Backtrace: > 5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1=E2= =80=A6") >In ice-9/eval=2Escm: > 191:35 4 (_ _) >In srfi/srfi-1=2Escm: > 863:16 3 (every1 # =E2=80=A6) >In >/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-= build-system=2Escm: > 799:28 2 (_ _) >In >/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocam= l-build-system=2Escm: > 55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags =E2= =80=A6) >In >/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/util= s=2Escm: > 616:6 0 (invoke _ =2E _) > >/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/util= s=2Escm:616:6: >In procedure invoke: >Throw to key `srfi-34' with args `(#"=2E/configure" arguments: ("-prefix" >"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4=2E01-gsl-1=2E22=2E0") >exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'=2E >builder for >`/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4=2E01-gsl-1=2E22=2E0= =2Edrv' >failed with exit code 1 >build of >/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4=2E01-gsl-1=2E22=2E0=2E= drv >failed >=2E=2E=2E > >Shall we remove all the ocaml-4=2E01 universe? The next step would be >4=2E02, >it appears that the CVE is solved with 4=2E03 only: > >https://cve=2Emitre=2Eorg/cgi-bin/cvename=2Ecgi?name=3DCVE-2015-8869 > "OCaml before 4=2E03=2E0 does not properly handle=2E=2E=2E" > >Andreas I still care about ocaml-4=2E02, but I could probably update it to ocaml-4= =2E04 without breaking dependents=2E From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 19 17:18:00 2019 Received: (at 27462) by debbugs.gnu.org; 19 Feb 2019 22:18:00 +0000 Received: from localhost ([127.0.0.1]:56821 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gwDiB-0000fB-Dn for submit@debbugs.gnu.org; Tue, 19 Feb 2019 17:17:59 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:54100) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gwDi8-0000f1-D4 for 27462@debbugs.gnu.org; Tue, 19 Feb 2019 17:17:57 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id D35B02C48; Tue, 19 Feb 2019 23:17:54 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hX2jXy5dRN0W; Tue, 19 Feb 2019 23:17:54 +0100 (CET) Received: from jurong (unknown [IPv6:2001:910:103f:0:2d09:8018:be35:9702]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 07220222A; Tue, 19 Feb 2019 23:17:53 +0100 (CET) Date: Tue, 19 Feb 2019 23:17:52 +0100 From: Andreas Enge To: Julien Lepiller Subject: Re: bug#27462: OCaml CVE-2015-8869 Message-ID: <20190219221752.GA4351@jurong> References: <20190131165613.GA27597@jurong> <20190131172113.GA29071@jurong> <96513178-922C-49D6-AF32-0EF723343C8E@lepiller.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <96513178-922C-49D6-AF32-0EF723343C8E@lepiller.eu> User-Agent: Mutt/1.11.2 (2019-01-07) X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 27462 Cc: 27462@debbugs.gnu.org, bug-guix@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote: > I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 without breaking dependents. Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and 4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer and all other dependent packages. Is ocaml@4.02 really needed? It would be nice to get rid of a package with CVE. Andreas From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 20 03:39:39 2019 Received: (at 27462) by debbugs.gnu.org; 20 Feb 2019 08:39:39 +0000 Received: from localhost ([127.0.0.1]:57169 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gwNPl-0007By-Hm for submit@debbugs.gnu.org; Wed, 20 Feb 2019 03:39:39 -0500 Received: from lepiller.eu ([89.234.186.109]:51388) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gwNPj-0007Bo-1N for 27462@debbugs.gnu.org; Wed, 20 Feb 2019 03:39:36 -0500 Received: from [192.168.1.88] (exit02.brasshorncomms.uk [185.104.120.2]) by lepiller.eu (OpenSMTPD) with ESMTPSA id 98e0a990 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Wed, 20 Feb 2019 08:39:29 +0000 (UTC) Date: Wed, 20 Feb 2019 09:39:20 +0100 User-Agent: K-9 Mail for Android In-Reply-To: <20190219221752.GA4351@jurong> References: <20190131165613.GA27597@jurong> <20190131172113.GA29071@jurong> <96513178-922C-49D6-AF32-0EF723343C8E@lepiller.eu> <20190219221752.GA4351@jurong> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: bug#27462: OCaml CVE-2015-8869 To: Andreas Enge From: Julien Lepiller Message-ID: <5510C5B2-07EA-4D26-9629-1403237F6751@lepiller.eu> X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 27462 Cc: 27462@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Le 19 f=C3=A9vrier 2019 23:17:52 GMT+01:00, Andreas Enge a =C3=A9crit : >On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote: >> I still care about ocaml-4=2E02, but I could probably update it to >ocaml-4=2E04 without breaking dependents=2E > >Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and >4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4=2E01, pplacer and >all other dependent packages=2E > >Is ocaml@4=2E02 really needed? It would be nice to get rid of a package >with CVE=2E > >Andreas At this point, we only need it for bap and dependencies=2E I've added depe= ndencies for the latest bap commit that work with the latest ocaml, but the= y haven't released a new version yet=2E Can we wait a bit longer? Another solution would be to jump to ocaml 4=2E05 and re-package another v= ersion of ~50 dependencies=2E I don't really want to do that=E2=80=A6 From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 20 06:27:57 2019 Received: (at 27462) by debbugs.gnu.org; 20 Feb 2019 11:27:57 +0000 Received: from localhost ([127.0.0.1]:57220 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gwQ2f-0002rp-GB for submit@debbugs.gnu.org; Wed, 20 Feb 2019 06:27:57 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:35640) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gwQ2a-0002rZ-Ku for 27462@debbugs.gnu.org; Wed, 20 Feb 2019 06:27:53 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 3ED752E68; Wed, 20 Feb 2019 12:27:50 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ygclyMmHlhbP; Wed, 20 Feb 2019 12:27:49 +0100 (CET) Received: from jurong (unknown [IPv6:2001:910:103f::c1e]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 63ACB1D31; Wed, 20 Feb 2019 12:27:49 +0100 (CET) Date: Wed, 20 Feb 2019 12:27:47 +0100 From: Andreas Enge To: Julien Lepiller Subject: Re: bug#27462: OCaml CVE-2015-8869 Message-ID: <20190220112747.GA21689@jurong> References: <20190131165613.GA27597@jurong> <20190131172113.GA29071@jurong> <96513178-922C-49D6-AF32-0EF723343C8E@lepiller.eu> <20190219221752.GA4351@jurong> <5510C5B2-07EA-4D26-9629-1403237F6751@lepiller.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <5510C5B2-07EA-4D26-9629-1403237F6751@lepiller.eu> User-Agent: Mutt/1.11.2 (2019-01-07) X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 27462 Cc: 27462@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) On Wed, Feb 20, 2019 at 09:39:20AM +0100, Julien Lepiller wrote: > At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer? > > Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that… I understand! Waiting a bit more should be okay given how long this bug is already open... Or packaging a current snapshot of bap (with suitable numbering as laid out, I think, in the documentation, so that users will upgrade automatically from the current version over the snapshot to the next released version). Thanks, Andreas From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 05 08:13:01 2019 Received: (at 27462-done) by debbugs.gnu.org; 5 Jul 2019 12:13:01 +0000 Received: from localhost ([127.0.0.1]:52463 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hjN5I-0005b2-VR for submit@debbugs.gnu.org; Fri, 05 Jul 2019 08:13:01 -0400 Received: from lepiller.eu ([89.234.186.109]:34586) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hjN5G-0005as-Rt for 27462-done@debbugs.gnu.org; Fri, 05 Jul 2019 08:12:59 -0400 Received: from [131.254.252.170] (ns.tor-exit-4.artikel5ev.de [87.118.116.103]) by lepiller.eu (OpenSMTPD) with ESMTPSA id 671ec09d (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <27462-done@debbugs.gnu.org>; Fri, 5 Jul 2019 12:12:55 +0000 (UTC) Date: Fri, 05 Jul 2019 14:12:56 +0200 User-Agent: K-9 Mail for Android MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: OCaml CVE-2015-8869 To: 27462-done@debbugs.gnu.org From: Julien Lepiller Message-ID: <5E92B59E-1D62-498E-BBA0-D9611BA75C81@lepiller.eu> X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 27462-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Ocaml-4=2E02 was removed a few months ago in c3634df2 but I forgot to close= this bug report=2E From unknown Mon Jun 23 22:04:49 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 03 Aug 2019 11:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator