On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote: > On 24/06/17 02:41, Leo Famulari wrote: > > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched > > in the primary ocaml package in April 2016. Unfortunately, this patch > > was not included when the ocaml-4.01 package was created in January > > 2017. > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 > > > > Do we need this older version of OCaml? If so, we need a volunteer to > > maintain it. > > Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build > pplacer, a bioinformatics program. I was planning on submitting 3 further > bioinformatic packages soon which rely on pplacer, however. > > I'm not sure I have the bandwidth to backport patches to such an old > release, especially since the OCaml maintainers do not appear to be either, > AFAICS. > > This is a little frustrating, but perhaps they should be removed. WDYT? That is a last resort :) We should check if another distro has a patch for OCaml 4.01, if we can backport the patch, if pplacer can use a newer OCaml, and only then consider removing the packages.