bug#27462: OCaml CVE-2015-8869

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#27462: OCaml CVE-2015-8869

From:	Leo Famulari
Subject:	bug#27462: OCaml CVE-2015-8869
Date:	Sat, 24 Jun 2017 12:03:04 -0400
User-agent:	Mutt/1.8.3 (2017-05-23)

On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote:
> On 24/06/17 02:41, Leo Famulari wrote:
> > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> > in the primary ocaml package in April 2016. Unfortunately, this patch
> > was not included when the ocaml-4.01 package was created in January
> > 2017.
> > 
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
> > 
> > Do we need this older version of OCaml? If so, we need a volunteer to
> > maintain it.
> 
> Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build
> pplacer, a bioinformatics program. I was planning on submitting 3 further
> bioinformatic packages soon which rely on pplacer, however.
> 
> I'm not sure I have the bandwidth to backport patches to such an old
> release, especially since the OCaml maintainers do not appear to be either,
> AFAICS.
> 
> This is a little frustrating, but perhaps they should be removed. WDYT?

That is a last resort :)

We should check if another distro has a patch for OCaml 4.01, if we can
backport the patch, if pplacer can use a newer OCaml, and only then
consider removing the packages.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#27462: OCaml CVE-2015-8869, Leo Famulari, 2017/06/23
- bug#27462: OCaml CVE-2015-8869, Ben Woodcroft, 2017/06/23
  - bug#27462: OCaml CVE-2015-8869, Leo Famulari <=

Prev by Date: bug#27467: Xfce broken, because it propagates two different versions of gtk+
Next by Date: bug#27476: Wrong type (expecting mutex)
Previous by thread: bug#27462: OCaml CVE-2015-8869
Next by thread: bug#27463: OCaml CVE-2017-9772
Index(es):
- Date
- Thread