GNU bug report logs - #27463
OCaml CVE-2017-9772

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Fri, 23 Jun 2017 16:43:02 UTC

Severity: normal

Tags: security

Done: Julien Lepiller <julien <at> lepiller.eu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27463 in the body.
You can then email your comments to 27463 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#27463; Package guix. (Fri, 23 Jun 2017 16:43:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Fri, 23 Jun 2017 16:43:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: OCaml CVE-2017-9772
Date: Fri, 23 Jun 2017 12:41:50 -0400
[Message part 1 (text/plain, inline)]
Our packages of OCaml 4.02.3 and 4.01.0 are vulnerable to CVE-2017-9772:

http://seclists.org/oss-sec/2017/q2/575
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9772
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#27463; Package guix. (Thu, 29 Jun 2017 19:18:01 GMT) Full text and rfc822 format available.

Message #8 received at 27463 <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27463 <at> debbugs.gnu.org
Subject: Re: bug#27463: OCaml CVE-2017-9772
Date: Thu, 29 Jun 2017 22:17:41 +0300
[Message part 1 (text/plain, inline)]
On Fri, Jun 23, 2017 at 12:41:50PM -0400, Leo Famulari wrote:
> Our packages of OCaml 4.02.3 and 4.01.0 are vulnerable to CVE-2017-9772:
> 
> http://seclists.org/oss-sec/2017/q2/575
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9772

According to Debian¹ only Ocaml-4.04.[01] is affected

¹https://security-tracker.debian.org/tracker/CVE-2017-9772

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Thu, 27 Jul 2017 12:26:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#27463; Package guix. (Thu, 14 Nov 2019 16:24:01 GMT) Full text and rfc822 format available.

Message #13 received at 27463 <at> debbugs.gnu.org (full text, mbox):

From: zimoun <zimon.toutoune <at> gmail.com>
To: 27463 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>, 
 Julien Lepiller <julien <at> lepiller.eu>,
 Ludovic Courtès <ludo <at> gnu.org>
Subject: Bug #27463 Hunting: OCaml CVE-2017-9772
Date: Thu, 14 Nov 2019 17:22:41 +0100
Dear,

This bug was opened for Ocaml version 4.02 and 4.01, then Debian said
it affects version 4.04 and today (two years later) the version is
4.07. Does this security still make sense?

If yes, please indicate me what can I do to proceed: apply the
security patch and close the issue.
If no, I plan to close this bug.


Thank you in advance for any comments.

All the best,
simon

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=27463




Reply sent to Julien Lepiller <julien <at> lepiller.eu>:
You have taken responsibility. (Thu, 14 Nov 2019 17:24:02 GMT) Full text and rfc822 format available.

Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Thu, 14 Nov 2019 17:24:02 GMT) Full text and rfc822 format available.

Message #18 received at 27463-done <at> debbugs.gnu.org (full text, mbox):

From: Julien Lepiller <julien <at> lepiller.eu>
To: zimoun <zimon.toutoune <at> gmail.com>,27463-done <at> debbugs.gnu.org
Subject: Re: Bug #27463 Hunting: OCaml CVE-2017-9772
Date: Thu, 14 Nov 2019 18:23:43 +0100
Le 14 novembre 2019 17:22:41 GMT+01:00, zimoun <zimon.toutoune <at> gmail.com> a écrit :
>Dear,
>
>This bug was opened for Ocaml version 4.02 and 4.01, then Debian said
>it affects version 4.04 and today (two years later) the version is
>4.07. Does this security still make sense?
>
>If yes, please indicate me what can I do to proceed: apply the
>security patch and close the issue.
>If no, I plan to close this bug.
>
>
>Thank you in advance for any comments.
>
>All the best,
>simon
>
>https://debbugs.gnu.org/cgi/bugreport.cgi?bug=27463

Closing as the security issue does not apply to our OCaml version.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 13 Dec 2019 12:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 4 years and 107 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.