bug#27462: OCaml CVE-2015-8869

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#27462: OCaml CVE-2015-8869

From:	Ben Woodcroft
Subject:	bug#27462: OCaml CVE-2015-8869
Date:	Sat, 24 Jun 2017 10:25:52 +1000
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1

Hi Leo,


On 24/06/17 02:41, Leo Famulari wrote:

Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
in the primary ocaml package in April 2016. Unfortunately, this patch
was not included when the ocaml-4.01 package was created in January
2017.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869

Do we need this older version of OCaml? If so, we need a volunteer to
maintain it.

Thanks for pointing this out. AFAIK OCaml 4.01 is really only used tobuild pplacer, a bioinformatics program. I was planning on submitting 3further bioinformatic packages soon which rely on pplacer, however.

I'm not sure I have the bandwidth to backport patches to such an oldrelease, especially since the OCaml maintainers do not appear to beeither, AFAICS.


This is a little frustrating, but perhaps they should be removed. WDYT?

ben

[Prev in Thread]

Current Thread

[Next in Thread]

bug#27462: OCaml CVE-2015-8869, Leo Famulari, 2017/06/23
- bug#27462: OCaml CVE-2015-8869, Ben Woodcroft <=
  - bug#27462: OCaml CVE-2015-8869, Leo Famulari, 2017/06/24

Prev by Date: bug#27467: Xfce broken, because it propagates two different versions of gtk+
Next by Date: bug#27429: Stack clash (CVE-2017-1000366 etc)
Previous by thread: bug#27462: OCaml CVE-2015-8869
Next by thread: bug#27462: OCaml CVE-2015-8869
Index(es):
- Date
- Thread