bug#27462: OCaml CVE-2015-8869
Ocaml-4.02 was removed a few months ago in c3634df2 but I forgot to close this bug report.
bug#27462: OCaml CVE-2015-8869
On Wed, Feb 20, 2019 at 09:39:20AM +0100, Julien Lepiller wrote: > At this point, we only need it for bap and dependencies. I've added > dependencies for the latest bap commit that work with the latest ocaml, but > they haven't released a new version yet. Can we wait a bit longer? > > Another solution would be to jump to ocaml 4.05 and re-package another > version of ~50 dependencies. I don't really want to do that… I understand! Waiting a bit more should be okay given how long this bug is already open... Or packaging a current snapshot of bap (with suitable numbering as laid out, I think, in the documentation, so that users will upgrade automatically from the current version over the snapshot to the next released version). Thanks, Andreas
bug#27462: OCaml CVE-2015-8869
Le 19 février 2019 23:17:52 GMT+01:00, Andreas Enge a écrit : >On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote: >> I still care about ocaml-4.02, but I could probably update it to >ocaml-4.04 without breaking dependents. > >Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and >4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer and >all other dependent packages. > >Is ocaml@4.02 really needed? It would be nice to get rid of a package >with CVE. > >Andreas At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer? Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…
bug#27462: OCaml CVE-2015-8869
On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote: > I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 > without breaking dependents. Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and 4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer and all other dependent packages. Is ocaml@4.02 really needed? It would be nice to get rid of a package with CVE. Andreas
bug#27462: OCaml CVE-2015-8869
Le 31 janvier 2019 18:21:13 GMT+01:00, Andreas Enge a écrit : >On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote: >> Are people using the software > >I suppose not, because one of its dependencies currently does not >build: > >... >phase `ocaml-findlib-environment' succeeded after 0.0 seconds >starting phase `configure' >build directory: >"/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0" >running 'configure' with arguments ("-prefix" >"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0") >Backtrace: > 5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…") >In ice-9/eval.scm: > 191:35 4 (_ _) >In srfi/srfi-1.scm: > 863:16 3 (every1 # …) >In >/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm: > 799:28 2 (_ _) >In >/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm: > 55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags …) >In >/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm: >616:6 0 (invoke _ . _) > >/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6: >In procedure invoke: >Throw to key `srfi-34' with args `(#"./configure" arguments: ("-prefix" >"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0") >exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'. >builder for >`/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv' >failed with exit code 1 >build of >/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv >failed >... > >Shall we remove all the ocaml-4.01 universe? The next step would be >4.02, >it appears that the CVE is solved with 4.03 only: > >https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 > "OCaml before 4.03.0 does not properly handle..." > >Andreas I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 without breaking dependents.
bug#27462: OCaml CVE-2015-8869
On 2019-01-31 17:57, Andreas Enge wrote: Hello, this bug has been open for quite a while, and the development of pplacer seems to be stalled, with the latest commit in May 2018, and no reaction whatsoever to Ben's bug report https://github.com/matsen/pplacer/issues/354 How should we continue? Are people using the software, or should we maybe remove it? Remove sounds good to me. -- Cheers Swedebugia
bug#27462: OCaml CVE-2015-8869
On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote: > Are people using the software I suppose not, because one of its dependencies currently does not build: ... phase `ocaml-findlib-environment' succeeded after 0.0 seconds starting phase `configure' build directory: "/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0" running 'configure' with arguments ("-prefix" "/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0") Backtrace: 5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…") In ice-9/eval.scm: 191:35 4 (_ _) In srfi/srfi-1.scm: 863:16 3 (every1 # …) In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm: 799:28 2 (_ _) In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm: 55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags …) In /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm: 616:6 0 (invoke _ . _) /gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6: In procedure invoke: Throw to key `srfi-34' with args `(#)'. builder for `/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv' failed with exit code 1 build of /gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv failed ... Shall we remove all the ocaml-4.01 universe? The next step would be 4.02, it appears that the CVE is solved with 4.03 only: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 "OCaml before 4.03.0 does not properly handle..." Andreas
bug#27462: OCaml CVE-2015-8869
Hello, this bug has been open for quite a while, and the development of pplacer seems to be stalled, with the latest commit in May 2018, and no reaction whatsoever to Ben's bug report https://github.com/matsen/pplacer/issues/354 How should we continue? Are people using the software, or should we maybe remove it? Andreas
bug#27462: OCaml CVE-2015-8869
On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote: > On 24/06/17 02:41, Leo Famulari wrote: > > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched > > in the primary ocaml package in April 2016. Unfortunately, this patch > > was not included when the ocaml-4.01 package was created in January > > 2017. > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 > > > > Do we need this older version of OCaml? If so, we need a volunteer to > > maintain it. > > Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build > pplacer, a bioinformatics program. I was planning on submitting 3 further > bioinformatic packages soon which rely on pplacer, however. > > I'm not sure I have the bandwidth to backport patches to such an old > release, especially since the OCaml maintainers do not appear to be either, > AFAICS. > > This is a little frustrating, but perhaps they should be removed. WDYT? That is a last resort :) We should check if another distro has a patch for OCaml 4.01, if we can backport the patch, if pplacer can use a newer OCaml, and only then consider removing the packages. signature.asc Description: PGP signature
bug#27462: OCaml CVE-2015-8869
Hi Leo, On 24/06/17 02:41, Leo Famulari wrote: Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched in the primary ocaml package in April 2016. Unfortunately, this patch was not included when the ocaml-4.01 package was created in January 2017. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 Do we need this older version of OCaml? If so, we need a volunteer to maintain it. Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build pplacer, a bioinformatics program. I was planning on submitting 3 further bioinformatic packages soon which rely on pplacer, however. I'm not sure I have the bandwidth to backport patches to such an old release, especially since the OCaml maintainers do not appear to be either, AFAICS. This is a little frustrating, but perhaps they should be removed. WDYT? ben
bug#27462: OCaml CVE-2015-8869
Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched in the primary ocaml package in April 2016. Unfortunately, this patch was not included when the ocaml-4.01 package was created in January 2017. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 Do we need this older version of OCaml? If so, we need a volunteer to maintain it. signature.asc Description: PGP signature