|
From: | Ben Woodcroft |
Subject: | bug#27462: OCaml CVE-2015-8869 |
Date: | Sat, 24 Jun 2017 10:25:52 +1000 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 |
Hi Leo, On 24/06/17 02:41, Leo Famulari wrote:
Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched in the primary ocaml package in April 2016. Unfortunately, this patch was not included when the ocaml-4.01 package was created in January 2017. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 Do we need this older version of OCaml? If so, we need a volunteer to maintain it.
Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build pplacer, a bioinformatics program. I was planning on submitting 3 further bioinformatic packages soon which rely on pplacer, however.
I'm not sure I have the bandwidth to backport patches to such an old release, especially since the OCaml maintainers do not appear to be either, AFAICS.
This is a little frustrating, but perhaps they should be removed. WDYT? ben
[Prev in Thread] | Current Thread | [Next in Thread] |