GNU bug report logs - #27462
OCaml CVE-2015-8869

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Fri, 23 Jun 2017 16:42:02 UTC

Severity: normal

Tags: security

Done: Julien Lepiller <julien <at> lepiller.eu>

Bug is archived. No further changes may be made.

Full log

Message #8 received at 27462 <at> debbugs.gnu.org (full text, mbox):

From: Ben Woodcroft <b.woodcroft <at> uq.edu.au>
To: Leo Famulari <leo <at> famulari.name>, 27462 <at> debbugs.gnu.org
Subject: Re: bug#27462: OCaml CVE-2015-8869
Date: Sat, 24 Jun 2017 10:25:52 +1000

Hi Leo,


On 24/06/17 02:41, Leo Famulari wrote:
> Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> in the primary ocaml package in April 2016. Unfortunately, this patch
> was not included when the ocaml-4.01 package was created in January
> 2017.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
>
> Do we need this older version of OCaml? If so, we need a volunteer to
> maintain it.

Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to 
build pplacer, a bioinformatics program. I was planning on submitting 3 
further bioinformatic packages soon which rely on pplacer, however.

I'm not sure I have the bandwidth to backport patches to such an old 
release, especially since the OCaml maintainers do not appear to be 
either, AFAICS.

This is a little frustrating, but perhaps they should be removed. WDYT?

ben
This bug report was last modified 5 years and 326 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.