bug#27462: OCaml CVE-2015-8869
Ocaml-4.02 was removed a few months ago in c3634df2 but I forgot to close this bug report.
bug#27462: OCaml CVE-2015-8869
On Wed, Feb 20, 2019 at 09:39:20AM +0100, Julien Lepiller wrote: > At this point, we only need it for bap and dependencies. I've added > dependencies for the latest bap commit that work with the latest ocaml, but > they haven't released a new version yet. Can we wait a bit longer? > > Another solution would be to jump to ocaml 4.05 and re-package another > version of ~50 dependencies. I don't really want to do that… I understand! Waiting a bit more should be okay given how long this bug is already open... Or packaging a current snapshot of bap (with suitable numbering as laid out, I think, in the documentation, so that users will upgrade automatically from the current version over the snapshot to the next released version). Thanks, Andreas
bug#27462: OCaml CVE-2015-8869
Le 19 février 2019 23:17:52 GMT+01:00, Andreas Enge a écrit : >On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote: >> I still care about ocaml-4.02, but I could probably update it to >ocaml-4.04 without breaking dependents. > >Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and >4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer and >all other dependent packages. > >Is ocaml@4.02 really needed? It would be nice to get rid of a package >with CVE. > >Andreas At this point, we only need it for bap and dependencies. I've added dependencies for the latest bap commit that work with the latest ocaml, but they haven't released a new version yet. Can we wait a bit longer? Another solution would be to jump to ocaml 4.05 and re-package another version of ~50 dependencies. I don't really want to do that…
bug#27462: OCaml CVE-2015-8869
On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote: > I still care about ocaml-4.02, but I could probably update it to ocaml-4.04 > without breaking dependents. Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and 4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove ocaml@4.01, pplacer and all other dependent packages. Is ocaml@4.02 really needed? It would be nice to get rid of a package with CVE. Andreas
bug#27462: OCaml CVE-2015-8869
Le 31 janvier 2019 18:21:13 GMT+01:00, Andreas Enge a écrit :
>On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
>> Are people using the software
>
>I suppose not, because one of its dependencies currently does not
>build:
>
>...
>phase `ocaml-findlib-environment' succeeded after 0.0 seconds
>starting phase `configure'
>build directory:
>"/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"
>running 'configure' with arguments ("-prefix"
>"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
>Backtrace:
> 5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")
>In ice-9/eval.scm:
> 191:35 4 (_ _)
>In srfi/srfi-1.scm:
> 863:16 3 (every1 # …)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:
> 799:28 2 (_ _)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:
> 55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags …)
>In
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:
>616:6 0 (invoke _ . _)
>
>/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6:
>In procedure invoke:
>Throw to key `srfi-34' with args `(#"./configure" arguments: ("-prefix"
>"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
>exit-status: 127 term-signal: #f stop-signal: #f] 491fc0>)'.
>builder for
>`/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv'
>failed with exit code 1
>build of
>/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv
>failed
>...
>
>Shall we remove all the ocaml-4.01 universe? The next step would be
>4.02,
>it appears that the CVE is solved with 4.03 only:
>
>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
> "OCaml before 4.03.0 does not properly handle..."
>
>Andreas
I still care about ocaml-4.02, but I could probably update it to ocaml-4.04
without breaking dependents.
bug#27462: OCaml CVE-2015-8869
On 2019-01-31 17:57, Andreas Enge wrote: Hello, this bug has been open for quite a while, and the development of pplacer seems to be stalled, with the latest commit in May 2018, and no reaction whatsoever to Ben's bug report https://github.com/matsen/pplacer/issues/354 How should we continue? Are people using the software, or should we maybe remove it? Remove sounds good to me. -- Cheers Swedebugia
bug#27462: OCaml CVE-2015-8869
On Thu, Jan 31, 2019 at 05:57:03PM +0100, Andreas Enge wrote:
> Are people using the software
I suppose not, because one of its dependencies currently does not build:
...
phase `ocaml-findlib-environment' succeeded after 0.0 seconds
starting phase `configure'
build directory: "/tmp/guix-build-ocaml4.01-gsl-1.22.0.drv-0/gsl-1.22.0"
running 'configure' with arguments ("-prefix"
"/gnu/store/2f0wbxxpva9pnl4877hcr1k9gnawnbgc-ocaml4.01-gsl-1.22.0")
Backtrace:
5 (primitive-load "/gnu/store/g4hk79x8kdpgnq87jhy6qjj9qa1…")
In ice-9/eval.scm:
191:35 4 (_ _)
In srfi/srfi-1.scm:
863:16 3 (every1 # …)
In
/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/gnu-build-system.scm:
799:28 2 (_ _)
In
/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/ocaml-build-system.scm:
55:8 1 (configure #:outputs _ #:configure-flags _ #:test-flags …)
In
/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:
616:6 0 (invoke _ . _)
/gnu/store/vnbx61brdhy87fhvwhrgf24qdgk1r4ww-module-import/guix/build/utils.scm:616:6:
In procedure invoke:
Throw to key `srfi-34' with args `(#)'.
builder for
`/gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv' failed
with exit code 1
build of /gnu/store/diyv95rimr1dl0m5n1ms8yclb6b139lc-ocaml4.01-gsl-1.22.0.drv
failed
...
Shall we remove all the ocaml-4.01 universe? The next step would be 4.02,
it appears that the CVE is solved with 4.03 only:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869
"OCaml before 4.03.0 does not properly handle..."
Andreas
bug#27462: OCaml CVE-2015-8869
Hello, this bug has been open for quite a while, and the development of pplacer seems to be stalled, with the latest commit in May 2018, and no reaction whatsoever to Ben's bug report https://github.com/matsen/pplacer/issues/354 How should we continue? Are people using the software, or should we maybe remove it? Andreas
bug#27462: OCaml CVE-2015-8869
On Sat, Jun 24, 2017 at 10:25:52AM +1000, Ben Woodcroft wrote: > On 24/06/17 02:41, Leo Famulari wrote: > > Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched > > in the primary ocaml package in April 2016. Unfortunately, this patch > > was not included when the ocaml-4.01 package was created in January > > 2017. > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 > > > > Do we need this older version of OCaml? If so, we need a volunteer to > > maintain it. > > Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build > pplacer, a bioinformatics program. I was planning on submitting 3 further > bioinformatic packages soon which rely on pplacer, however. > > I'm not sure I have the bandwidth to backport patches to such an old > release, especially since the OCaml maintainers do not appear to be either, > AFAICS. > > This is a little frustrating, but perhaps they should be removed. WDYT? That is a last resort :) We should check if another distro has a patch for OCaml 4.01, if we can backport the patch, if pplacer can use a newer OCaml, and only then consider removing the packages. signature.asc Description: PGP signature
bug#27462: OCaml CVE-2015-8869
Hi Leo, On 24/06/17 02:41, Leo Famulari wrote: Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched in the primary ocaml package in April 2016. Unfortunately, this patch was not included when the ocaml-4.01 package was created in January 2017. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 Do we need this older version of OCaml? If so, we need a volunteer to maintain it. Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build pplacer, a bioinformatics program. I was planning on submitting 3 further bioinformatic packages soon which rely on pplacer, however. I'm not sure I have the bandwidth to backport patches to such an old release, especially since the OCaml maintainers do not appear to be either, AFAICS. This is a little frustrating, but perhaps they should be removed. WDYT? ben
bug#27462: OCaml CVE-2015-8869
Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched in the primary ocaml package in April 2016. Unfortunately, this patch was not included when the ocaml-4.01 package was created in January 2017. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 Do we need this older version of OCaml? If so, we need a volunteer to maintain it. signature.asc Description: PGP signature
