OCaml CVE-2017-9772

DoneSubmitted by Leo Famulari.
Details
5 participants
  • Efraim Flashner
  • Julien Lepiller
  • Leo Famulari
  • Ludovic Courtès
  • zimoun
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 23 Jun 2017 18:41
(address . bug-guix@gnu.org)
20170623164150.GA15440@jasmine.lan
Our packages of OCaml 4.02.3 and 4.01.0 are vulnerable to CVE-2017-9772:
http://seclists.org/oss-sec/2017/q2/575https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9772
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllNRM4ACgkQJkb6MLrKfwjhIRAAsdaeVYrsb5UAgjHljirS/54G3lbCC8faD+apw3ZoxsVWFvBcHBYwxMZg4IbwDh/jIqskd82j5ITMB7tYFrG9VJd9GFUcT7Wy5dG5IUC0/dnRmqlH+Lj6a29HhW1TN8MjDPNwjoAgTr6cj8FTr7jGNe4W6Lxkj3uUsegR8YREMf4jwN7h0occ298Lhtob0j/NXx6OajbjRE2dyav8/jSyZI+gX9RAAqSXnsUhnRLx0ey78dVyDUAWtfSCjaTmTq6C/GQJY8QX/DJrHTgDoOZvtKmTdygZmrdxu5EXh64R0PmO2yMzax4cojhPpL6f1CYB/799j8GCFMBhc6J/J2h1WX2m2JFf7U1OgrdFSda2b1/Ouv0szhFWJZPd6zlH3BKbVSLxtCY1/DUZXnWMxzTcauQvVb7VHnCeTOd3nP+I2dpkGvUnLFi7BPv8Vg+/bI8QAh0yvpPUn75gTGxftSIXOGJgVbBySHOy4AjItzRVL3nAom3kI8xImf7XzkHF2RFwQeXlI6BKtkOqL6u3tR0VU0785HI7oApNFe68gzb86X5YrFmraKi/vcPfEEB/XlWnHbZrVXnuT3uXgz3HZupXO4lo9+0T/lmM1E3yQqcqLvRFDUXsrGJBwSYBIAGvEXzfpTIlMB+pXJzqZ4Vuhq0cIJ83opaqkRx01GMZvfk8OmI==UZ/E-----END PGP SIGNATURE-----

E
E
Efraim Flashner wrote on 29 Jun 2017 21:17
(name . Leo Famulari)(address . leo@famulari.name)(address . 27463@debbugs.gnu.org)
20170629191741.GE1734@macbook42.flashner.co.il
On Fri, Jun 23, 2017 at 12:41:50PM -0400, Leo Famulari wrote:
Toggle quote (5 lines)> Our packages of OCaml 4.02.3 and 4.01.0 are vulnerable to CVE-2017-9772:> > http://seclists.org/oss-sec/2017/q2/575> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9772
According to Debian¹ only Ocaml-4.04.[01] is affected
¹https://security-tracker.debian.org/tracker/CVE-2017-9772
-- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנרGPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAllVUkwACgkQQarn3Mo9g1E3Jw/+LQa+kkWkHW9ep2MZ978e71mqgk4Ce9SjKysfrkSHfdh1dKCf/OX0BWe42EfsDIFm9ATWt5sW6oWFe/At3UxByKs40WeeIqZvpzEJlLv/9uY6W8T3dhaflYqjGVP7gwk+D9l9lFdnxKhX5rfyJOt5CGyMJA4Q9NoDv+7MwCuFyWYgovphOib9HfccPKj3+2HWUbbfycK7MfiXS0FaHrWJOdeqcTk14t0m/JVjimJ3OY2XWSYksNKPhpCERgjRqWChB2UKWBg9z0mYweloFQluc04UN+KTnyYyoASehr76v+HCdApnIhBoIXXdB+/6sFzWDN5j8NTiuAt6fl44tUYCV9rYvrGoDFrESy1g26NZxla+cXuU1S+6Uii2BVwx9WCAelvAIeP9PYIFhzb8nQW9LxaJEz3qEm6POrZIedzdeV0cPlSE635LZ5PyFXOvygYABOHUa/FXUBZpS4jbsGJEBGqjcWPF7sMyHGt06xKcTpsppEYUlOb6/sxfFG48UvSf+n9s/PEIh1ldG3mmoXoC9eTvm+P5kaSG21JA+KbkT2RylR5ujzYPv8/Q/Q8u6dA7p5+Av65oqpb3k+ItMm2yPNhzfro7Co5FC6OAaIL3tCKyKD+uLDggOmkhdLyg42y8wzGmH+Fp3dgjC26sxtgaILtUezLjqKr5ugUFL9vN5rs==falG-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 27 Jul 2017 14:25
control message for bug #27463
(address . control@debbugs.gnu.org)
87shhi3w3q.fsf@gnu.org
tags 27463 security
Z
Z
zimoun wrote on 14 Nov 2019 17:22
Bug #27463 Hunting: OCaml CVE-2017-9772
CAJ3okZ13eoBcSC+rPOhMfZ6nCQRbGbSGROjikCUSeSQV-XAKaw@mail.gmail.com
Dear,
This bug was opened for Ocaml version 4.02 and 4.01, then Debian saidit affects version 4.04 and today (two years later) the version is4.07. Does this security still make sense?
If yes, please indicate me what can I do to proceed: apply thesecurity patch and close the issue.If no, I plan to close this bug.

Thank you in advance for any comments.
All the best,simon
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=27463
J
J
Julien Lepiller wrote on 14 Nov 2019 18:23
1BA7F507-8EF5-4F79-A921-965CF141BC27@lepiller.eu
Le 14 novembre 2019 17:22:41 GMT+01:00, zimoun <zimon.toutoune@gmail.com> a écrit :
Toggle quote (18 lines)>Dear,>>This bug was opened for Ocaml version 4.02 and 4.01, then Debian said>it affects version 4.04 and today (two years later) the version is>4.07. Does this security still make sense?>>If yes, please indicate me what can I do to proceed: apply the>security patch and close the issue.>If no, I plan to close this bug.>>>Thank you in advance for any comments.>>All the best,>simon>>https://debbugs.gnu.org/cgi/bugreport.cgi?bug=27463
Closing as the security issue does not apply to our OCaml version.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 27463@debbugs.gnu.org