#27462 - OCaml CVE-2015-8869 - GNU bug report logs

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Message #8 received at 27462@debbugs.gnu.org (full text, mbox, reply):

Received: (at 27462) by debbugs.gnu.org; 24 Jun 2017 00:26:04 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 23 20:26:04 2017
Received: from localhost ([127.0.0.1]:34952 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dOYto-0008G2-7H
	for submit@debbugs.gnu.org; Fri, 23 Jun 2017 20:26:04 -0400
Received: from mailhub2.soe.uq.edu.au ([130.102.132.209]:35672
 helo=newmailhub.uq.edu.au)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <b.woodcroft@uq.edu.au>) id 1dOYtl-0008Fb-9d
 for 27462@debbugs.gnu.org; Fri, 23 Jun 2017 20:26:02 -0400
Received: from smtp1.soe.uq.edu.au (smtp1.soe.uq.edu.au [10.138.113.40])
 by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id v5O0PtGl003082;
 Sat, 24 Jun 2017 10:25:57 +1000
Received: from [192.168.1.105] (static.customers.nuskope.com.au
 [103.25.181.216] (may be forged)) (authenticated bits=0)
 by smtp1.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id v5O0Prvp026879
 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
 Sat, 24 Jun 2017 10:25:54 +1000
Subject: Re: bug#27462: OCaml CVE-2015-8869
To: Leo Famulari <leo@famulari.name>, 27462@debbugs.gnu.org
References: <20170623164129.GA4417@jasmine.lan>
From: Ben Woodcroft <b.woodcroft@uq.edu.au>
Message-ID: <faae92d6-1f30-9e7f-4e56-f7c69a794388@uq.edu.au>
Date: Sat, 24 Jun 2017 10:25:52 +1000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <20170623164129.GA4417@jasmine.lan>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-UQ-FilterTime: 1498263958
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 27462
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Hi Leo,

On 24/06/17 02:41, Leo Famulari wrote:
> Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched
> in the primary ocaml package in April 2016. Unfortunately, this patch
> was not included when the ocaml-4.01 package was created in January
> 2017.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
>
> Do we need this older version of OCaml? If so, we need a volunteer to
> maintain it.

Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to 
build pplacer, a bioinformatics program. I was planning on submitting 3 
further bioinformatic packages soon which rely on pplacer, however.

I'm not sure I have the bandwidth to backport patches to such an old 
release, especially since the OCaml maintainers do not appear to be 
either, AFAICS.

This is a little frustrating, but perhaps they should be removed. WDYT?

ben

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Tue Mar 11 06:59:50 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#27462 OCaml CVE-2015-8869