From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 24 12:03:12 2017 Received: (at 27462) by debbugs.gnu.org; 24 Jun 2017 16:03:12 +0000 Received: from localhost ([127.0.0.1]:35847 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOnWh-0003kd-UC for submit@debbugs.gnu.org; Sat, 24 Jun 2017 12:03:12 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:42381) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dOnWe-0003kR-6z for 27462@debbugs.gnu.org; Sat, 24 Jun 2017 12:03:09 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 8A495206F0; Sat, 24 Jun 2017 12:03:07 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Sat, 24 Jun 2017 12:03:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=3kZWJY3K1CdLCtEGjaMzzYknAYoBC1nzYTOMy9 aLjI4=; b=OnmVQ1N3h0rZOt6gaPjBQFXe+Qw+oSOCyIrrV9B7b8TQsdVchvgp35 c2hFI35DUdnkTXHVmC1D6B/NVRyQSpneLQeQpnr1o6rCy8tfCSIf/zBovNYDYrJM CnaiYc6KHG12Cm/mPEmw4lMEbALb9ZL4jVDhDHtV9VRg4r2Q2ibQY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=3kZWJY3K1CdLCtEGja MzzYknAYoBC1nzYTOMy9aLjI4=; b=gX5O+LId6vnf4sIVBUE30C5TDZzpy8klPI UvGe7DrCgNAxB5/LW1SfLGdx8NQhX5NhroNKWiAomibh735Fz+lFRCbzFvj2RRRl zs85DfbE3eU3Nv9zLX0KhR+CNdaSGm20On2K7vkaYT4Di3U/xO/bhrCbbzNtS+Xs My6Vygv96Ono35ACEUSv0ulPzl73bRH7h7GFBwfLqGY6Omc9YX78xXRNETgrPUe9 X/+DlcU5t6DLmJI3NSZnrx5d6ZcB7ct29lRVMTqI59c4fZr6wIvhV3HOZRgsqr/r udg9zCPpKXoV8FXtTonG9I6ERaiLzo0Tm6AFvoQHbH5wmOSLHpGw== X-ME-Sender: X-Sasl-enc: 7nJa4b3uWLj5Bho5WcwDVXKa2hTUWLVgecUvb3g6PM+o 1498320187 Received: from localhost (unknown [128.64.129.7]) by mail.messagingengine.com (Postfix) with ESMTPA id 49D0524370; Sat, 24 Jun 2017 12:03:07 -0400 (EDT) Date: Sat, 24 Jun 2017 12:03:04 -0400 From: Leo Famulari To: Ben Woodcroft Subject: Re: bug#27462: OCaml CVE-2015-8869 Message-ID: <20170624160304.GA10364@jasmine.lan> References: <20170623164129.GA4417@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 27462 Cc: 27462@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote: > On 24/06/17 02:41, Leo Famulari wrote: > > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched > > in the primary ocaml package in April 2016. Unfortunately, this patch > > was not included when the ocaml-4.01 package was created in January > > 2017. > >=20 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8869 > >=20 > > Do we need this older version of OCaml? If so, we need a volunteer to > > maintain it. >=20 > Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to bui= ld > pplacer, a bioinformatics program. I was planning on submitting 3 further > bioinformatic packages soon which rely on pplacer, however. >=20 > I'm not sure I have the bandwidth to backport patches to such an old > release, especially since the OCaml maintainers do not appear to be eithe= r, > AFAICS. >=20 > This is a little frustrating, but perhaps they should be removed. WDYT? That is a last resort :) We should check if another distro has a patch for OCaml 4.01, if we can backport the patch, if pplacer can use a newer OCaml, and only then consider removing the packages. --AqsLC8rIMeq19msA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllOjTUACgkQJkb6MLrK fwgSKQ//aoiWbnyCnqhrYiyAuLIzKqeETBMkJ6pC15WwSkVhbgevPtS8lwh5h/4P zQVzjF6GaWv4Z5R0CmeJj4bJfEAmy/KVF8jmYt7k5RLm1xPMQwTB5sPMDrxJYP2A 9ulznVmgaCNu3OMS/RbbF/oir5w5wDpvfSUR2gQYgv+rmKaFnyasHcj8NuORYzPU mn91KRvyvGspxrN0a2c1lC7GxHOPP25BhOH0drj2qw7vsYqciS8TWKYD2z2JXOKD AAsTg/5V49SI77sQiNcb+DP4pLSfRhnRoAHmJofY+1RPfVBds32XUUkH27G22ra6 2kod8G/bFi5howelqkJue3WjOF+xhh9rC/4NaDDZfHEgpMF5Jb7QjWLA+b3Gv1Xd Ti57UYHLCCbT1/9g4q1XOzwhd2QVAucNgZPf6b5MwFneQpdk/fzB5579piq0MscI mgxjL2yLz8smyRi5s/4z2V8HCizhxjqnxQA8d4p0g5O6qZSp8nrNu1oeeptGWfb1 bVVeciwBjKHpTYAqkqp4BQ7ydr2zSj0anj+75AgrA+nDMISuALuFZAHjAsMDOCdi ftfqI21rNlxFwyEkHJ6fcPyUPrmj8rL/qiCcRZWvi+RlMvxekIRpEaUl7d3YP8uA 7ptVtpSffUoiMHnBipJlo9CSs/htOPwflB22C97ApmkHh0nVPhc= =Vk0b -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA--