Hi, [putting this back on the debian-ocaml-maint list]
On Wed, May 18, 2016 at 07:41:19PM +0200, Salvatore Bonaccorso wrote: > Hi Ralf, > > On Wed, May 18, 2016 at 08:38:42AM +0200, Ralf Treinen wrote: > > Hi, > > > > On Tue, May 17, 2016 at 08:55:54PM +0200, Salvatore Bonaccorso wrote: > > > Hello OCaml maintainers :-) > > > > > > On Thu, May 12, 2016 at 09:54:29PM +0200, Moritz Mühlenhoff wrote: > > > > On Thu, May 12, 2016 at 08:47:00PM +0200, Salvatore Bonaccorso wrote: > > > > > Hi Team, > > > > > > > > > > I tend to mark CVE-2015-8869/ocaml in the tracker as no-dsa. The > > > > > reason is we would need to recompile reverse dependencies using the > > > > > patched functions. > > > > > > > > [Adding ocaml maintainers to CC] > > > > > > > > Do we know whether packages in the archive are affected? > > > > > > Any information for that? > > > > Stéphane had answered to the same question by Thorsten Alteholz: > > > > https://lists.debian.org/debian-ocaml-maint/2016/05/msg00042.html > > Thanks for pointing us to that reply, appreciated. > > IMHO then the best option I think would be to fix this rather via a > jessie-point release and do proper binNMU's there. Doing it via > security would imply to do sourcefull uploads for every reverse > dependency which was never seen so far on security.d.o (for the other > cases binNMU would work). > > I will mark this in the security-tracker as no-dsa, indicating to fix > it via a jessie-point release. Can you first fix it in unstable and > then contact the SRM for an update via jessie-pu? Stéphane, are you taking care of this? -Ralf.
