Re: Issues in OCaml, specifically CVE-2015-8869
Hi,
[putting this back on the debian-ocaml-maint list]
On Wed, May 18, 2016 at 07:41:19PM +0200, Salvatore Bonaccorso wrote:
> Hi Ralf,
>
> On Wed, May 18, 2016 at 08:38:42AM +0200, Ralf Treinen wrote:
> > Hi,
> >
> > On Tue, May 17, 2016 at 08:55:54PM +0200, Salvatore Bonaccorso wrote:
> > > Hello OCaml maintainers :-)
> > >
> > > On Thu, May 12, 2016 at 09:54:29PM +0200, Moritz Mühlenhoff wrote:
> > > > On Thu, May 12, 2016 at 08:47:00PM +0200, Salvatore Bonaccorso wrote:
> > > > > Hi Team,
> > > > >
> > > > > I tend to mark CVE-2015-8869/ocaml in the tracker as no-dsa. The
> > > > > reason is we would need to recompile reverse dependencies using the
> > > > > patched functions.
> > > >
> > > > [Adding ocaml maintainers to CC]
> > > >
> > > > Do we know whether packages in the archive are affected?
> > >
> > > Any information for that?
> >
> > Stéphane had answered to the same question by Thorsten Alteholz:
> >
> > https://lists.debian.org/debian-ocaml-maint/2016/05/msg00042.html
>
> Thanks for pointing us to that reply, appreciated.
>
> IMHO then the best option I think would be to fix this rather via a
> jessie-point release and do proper binNMU's there. Doing it via
> security would imply to do sourcefull uploads for every reverse
> dependency which was never seen so far on security.d.o (for the other
> cases binNMU would work).
>
> I will mark this in the security-tracker as no-dsa, indicating to fix
> it via a jessie-point release. Can you first fix it in unstable and
> then contact the SRM for an update via jessie-pu?
Stéphane, are you taking care of this?
-Ralf.
Reply to: