GNU bug report logs

#27463 OCaml CVE-2017-9772

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#27463; Package guix. (Fri, 23 Jun 2017 16:43:02 GMT) (full text, mbox, link).

Acknowledgement sent to Leo Famulari <leo@famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Fri, 23 Jun 2017 16:43:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: bug-guix@gnu.org
Subject: OCaml CVE-2017-9772
Date: Fri, 23 Jun 2017 12:41:50 -0400
[Message part 1 (text/plain, inline)]
Our packages of OCaml 4.02.3 and 4.01.0 are vulnerable to CVE-2017-9772:

http://seclists.org/oss-sec/2017/q2/575
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9772

[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#27463; Package guix. (Thu, 29 Jun 2017 19:18:01 GMT) (full text, mbox, link).

Message #8 received at 27463@debbugs.gnu.org (full text, mbox, reply):

From: Efraim Flashner <efraim@flashner.co.il>
To: Leo Famulari <leo@famulari.name>
Cc: 27463@debbugs.gnu.org
Subject: Re: bug#27463: OCaml CVE-2017-9772
Date: Thu, 29 Jun 2017 22:17:41 +0300
[Message part 1 (text/plain, inline)]
On Fri, Jun 23, 2017 at 12:41:50PM -0400, Leo Famulari wrote:
> Our packages of OCaml 4.02.3 and 4.01.0 are vulnerable to CVE-2017-9772:
> 
> http://seclists.org/oss-sec/2017/q2/575
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9772

According to Debian¹ only Ocaml-4.04.[01] is affected

¹https://security-tracker.debian.org/tracker/CVE-2017-9772

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from ludo@gnu.org (Ludovic Courtès) to control@debbugs.gnu.org. (Thu, 27 Jul 2017 12:26:02 GMT) (full text, mbox, link).

Information forwarded to bug-guix@gnu.org:
bug#27463; Package guix. (Thu, 14 Nov 2019 16:24:01 GMT) (full text, mbox, link).

Message #13 received at 27463@debbugs.gnu.org (full text, mbox, reply):

From: zimoun <zimon.toutoune@gmail.com>
To: 27463@debbugs.gnu.org, Leo Famulari <leo@famulari.name>, Julien Lepiller <julien@lepiller.eu>, Ludovic Courtès <ludo@gnu.org>
Subject: Bug #27463 Hunting: OCaml CVE-2017-9772
Date: Thu, 14 Nov 2019 17:22:41 +0100
Dear,

This bug was opened for Ocaml version 4.02 and 4.01, then Debian said
it affects version 4.04 and today (two years later) the version is
4.07. Does this security still make sense?

If yes, please indicate me what can I do to proceed: apply the
security patch and close the issue.
If no, I plan to close this bug.


Thank you in advance for any comments.

All the best,
simon

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=27463

Reply sent to Julien Lepiller <julien@lepiller.eu>:
You have taken responsibility. (Thu, 14 Nov 2019 17:24:02 GMT) (full text, mbox, link).

Notification sent to Leo Famulari <leo@famulari.name>:
bug acknowledged by developer. (Thu, 14 Nov 2019 17:24:02 GMT) (full text, mbox, link).

Message #18 received at 27463-done@debbugs.gnu.org (full text, mbox, reply):

From: Julien Lepiller <julien@lepiller.eu>
To: zimoun <zimon.toutoune@gmail.com>,27463-done@debbugs.gnu.org
Subject: Re: Bug #27463 Hunting: OCaml CVE-2017-9772
Date: Thu, 14 Nov 2019 18:23:43 +0100
Le 14 novembre 2019 17:22:41 GMT+01:00, zimoun <zimon.toutoune@gmail.com> a écrit :
>Dear,
>
>This bug was opened for Ocaml version 4.02 and 4.01, then Debian said
>it affects version 4.04 and today (two years later) the version is
>4.07. Does this security still make sense?
>
>If yes, please indicate me what can I do to proceed: apply the
>security patch and close the issue.
>If no, I plan to close this bug.
>
>
>Thank you in advance for any comments.
>
>All the best,
>simon
>
>https://debbugs.gnu.org/cgi/bugreport.cgi?bug=27463

Closing as the security issue does not apply to our OCaml version.

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Fri, 13 Dec 2019 12:24:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 06:24:56 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.