GNU bug report logs - #27462
OCaml CVE-2015-8869

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Fri, 23 Jun 2017 16:42:02 UTC

Severity: normal

Tags: security

Done: Julien Lepiller <julien <at> lepiller.eu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Julien Lepiller <julien <at> lepiller.eu>
To: Andreas Enge <andreas <at> enge.fr>
Cc: 27462 <at> debbugs.gnu.org
Subject: bug#27462: OCaml CVE-2015-8869
Date: Wed, 20 Feb 2019 09:39:20 +0100

Le 19 février 2019 23:17:52 GMT+01:00, Andreas Enge <andreas <at> enge.fr> a écrit :
>On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote:
>> I still care about ocaml-4.02, but I could probably update it to
>ocaml-4.04 without breaking dependents.
>
>Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and
>4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml <at> 4.01, pplacer and
>all other dependent packages.
>
>Is ocaml <at> 4.02 really needed? It would be nice to get rid of a package
>with CVE.
>
>Andreas

At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer?

Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…
This bug report was last modified 5 years and 326 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.