GNU bug report logs -
#27462
OCaml CVE-2015-8869
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Fri, 23 Jun 2017 16:42:02 UTC
Severity: normal
Tags: security
Done: Julien Lepiller <julien <at> lepiller.eu>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote:
> On 24/06/17 02:41, Leo Famulari wrote:
> > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> > in the primary ocaml package in April 2016. Unfortunately, this patch
> > was not included when the ocaml-4.01 package was created in January
> > 2017.
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
> >
> > Do we need this older version of OCaml? If so, we need a volunteer to
> > maintain it.
>
> Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build
> pplacer, a bioinformatics program. I was planning on submitting 3 further
> bioinformatic packages soon which rely on pplacer, however.
>
> I'm not sure I have the bandwidth to backport patches to such an old
> release, especially since the OCaml maintainers do not appear to be either,
> AFAICS.
>
> This is a little frustrating, but perhaps they should be removed. WDYT?
That is a last resort :)
We should check if another distro has a patch for OCaml 4.01, if we can
backport the patch, if pplacer can use a newer OCaml, and only then
consider removing the packages.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 326 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.