GNU bug report logs - #27463
OCaml CVE-2017-9772

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Leo Famulari <leo@HIDDEN>; Keywords: security; dated Fri, 23 Jun 2017 16:43:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at 27463 <at> debbugs.gnu.org:


Received: (at 27463) by debbugs.gnu.org; 29 Jun 2017 19:17:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 29 15:17:52 2017
Received: from localhost ([127.0.0.1]:45028 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dQewq-0006El-8f
	for submit <at> debbugs.gnu.org; Thu, 29 Jun 2017 15:17:52 -0400
Received: from flashner.co.il ([178.62.234.194]:38322)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <efraim@HIDDEN>) id 1dQewo-0006EY-GF
 for 27463 <at> debbugs.gnu.org; Thu, 29 Jun 2017 15:17:50 -0400
Received: from localhost (85.64.232.168.dynamic.barak-online.net
 [85.64.232.168])
 by flashner.co.il (Postfix) with ESMTPSA id 6D937400D7;
 Thu, 29 Jun 2017 19:17:44 +0000 (UTC)
Date: Thu, 29 Jun 2017 22:17:41 +0300
From: Efraim Flashner <efraim@HIDDEN>
To: Leo Famulari <leo@HIDDEN>
Subject: Re: bug#27463: OCaml CVE-2017-9772
Message-ID: <20170629191741.GE1734@HIDDEN>
References: <20170623164150.GA15440@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="uCPdOCrL+PnN2Vxy"
Content-Disposition: inline
In-Reply-To: <20170623164150.GA15440@HIDDEN>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 27463
Cc: 27463 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)


--uCPdOCrL+PnN2Vxy
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jun 23, 2017 at 12:41:50PM -0400, Leo Famulari wrote:
> Our packages of OCaml 4.02.3 and 4.01.0 are vulnerable to CVE-2017-9772:
>=20
> http://seclists.org/oss-sec/2017/q2/575
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-9772

According to Debian=C2=B9 only Ocaml-4.04.[01] is affected

=C2=B9https://security-tracker.debian.org/tracker/CVE-2017-9772

--=20
Efraim Flashner   <efraim@HIDDEN>   =D7=90=D7=A4=D7=A8=D7=99=D7=9D =
=D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--uCPdOCrL+PnN2Vxy
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAllVUkwACgkQQarn3Mo9
g1E3Jw/+LQa+kkWkHW9ep2MZ978e71mqgk4Ce9SjKysfrkSHfdh1dKCf/OX0BWe4
2EfsDIFm9ATWt5sW6oWFe/At3UxByKs40WeeIqZvpzEJlLv/9uY6W8T3dhaflYqj
GVP7gwk+D9l9lFdnxKhX5rfyJOt5CGyMJA4Q9NoDv+7MwCuFyWYgovphOib9Hfcc
PKj3+2HWUbbfycK7MfiXS0FaHrWJOdeqcTk14t0m/JVjimJ3OY2XWSYksNKPhpCE
RgjRqWChB2UKWBg9z0mYweloFQluc04UN+KTnyYyoASehr76v+HCdApnIhBoIXXd
B+/6sFzWDN5j8NTiuAt6fl44tUYCV9rYvrGoDFrESy1g26NZxla+cXuU1S+6Uii2
BVwx9WCAelvAIeP9PYIFhzb8nQW9LxaJEz3qEm6POrZIedzdeV0cPlSE635LZ5Py
FXOvygYABOHUa/FXUBZpS4jbsGJEBGqjcWPF7sMyHGt06xKcTpsppEYUlOb6/sxf
FG48UvSf+n9s/PEIh1ldG3mmoXoC9eTvm+P5kaSG21JA+KbkT2RylR5ujzYPv8/Q
/Q8u6dA7p5+Av65oqpb3k+ItMm2yPNhzfro7Co5FC6OAaIL3tCKyKD+uLDggOmkh
dLyg42y8wzGmH+Fp3dgjC26sxtgaILtUezLjqKr5ugUFL9vN5rs=
=falG
-----END PGP SIGNATURE-----

--uCPdOCrL+PnN2Vxy--




Information forwarded to bug-guix@HIDDEN:
bug#27463; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 23 Jun 2017 16:42:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jun 23 12:42:04 2017
Received: from localhost ([127.0.0.1]:34693 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1dORem-0005Zl-FR
	for submit <at> debbugs.gnu.org; Fri, 23 Jun 2017 12:42:04 -0400
Received: from eggs.gnu.org ([208.118.235.92]:47594)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1dORek-0005Yn-EO
 for submit <at> debbugs.gnu.org; Fri, 23 Jun 2017 12:42:02 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1dORee-00086j-KB
 for submit <at> debbugs.gnu.org; Fri, 23 Jun 2017 12:41:57 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:49566)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1dORee-00086a-HC
 for submit <at> debbugs.gnu.org; Fri, 23 Jun 2017 12:41:56 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:38549)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1dORed-00038j-A7
 for bug-guix@HIDDEN; Fri, 23 Jun 2017 12:41:56 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1dORea-00084K-7j
 for bug-guix@HIDDEN; Fri, 23 Jun 2017 12:41:55 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:50263)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1dORea-000849-3K
 for bug-guix@HIDDEN; Fri, 23 Jun 2017 12:41:52 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 7B2F720A4C;
 Fri, 23 Jun 2017 12:41:51 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Fri, 23 Jun 2017 12:41:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=Yn6
 WqXRMXhc+U9KWSdEwCuXov7PdhOBAXUCM1zjDjNw=; b=KNjTTtdOjSIRb0xRDDd
 q8QqVZ2XqhJ+uAZmlQgv+yutcXF6S7n9joxDNaFGe4l3Y5Mr2Wv4deSOgCQWOSpt
 qsF16ik2QMJzqogVhXxBircYWJctxcFyKCjdrNaSU6PwsM7yACMACo/zgWh3Xb9A
 7LI0fLwjz2ZMcX9XRQJikaMI=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=fm1; bh=Yn6WqXRMXhc+U9KWSdEwCuXov7PdhOBAXUCM1zjDj
 Nw=; b=THcZzAlt/drYYP1Ovbl/7nxFe5kNhNthVYkYIft+wU851nq7weIBO7m5h
 HahqXVUmXt2zUfyluTkBLTnDzDpu5H72u2fPLIFqxMeI6ZH6Q06Q7QYNNXmwYcZp
 3Gg7TR8IRIPtFmRSZT3mFZfwzGFMo9j9qMOOxsRhEIB7oUntKwHg79pOND2evU0V
 iYaMUfwcNswADwDUhitrCl4xEb3TkqDzlquNF/G0k9pl0hbYPp/Qj9T4WVxM1e3F
 n4kHiNrWt+T33pRxKRQOjzBIvfNdSnVAfBzzvyB39n0o+M5DdRaMmnmFTEdK/2K4
 GwnDbJ+odOwpbN0SWWf20EWtgqiZQ==
X-ME-Sender: <xms:z0RNWeCDX4RCqEXrP6fV_ZXJGKCrhTvJb_wKJYOimKKr7prszWqZ3g>
X-Sasl-enc: 7sI0eU6vH67f4lEvQ/KL+vVD2JvQWGELlRMgvcG24Bua 1498236111
Received: from localhost (unknown [128.64.129.7])
 by mail.messagingengine.com (Postfix) with ESMTPA id 3C2CC7E5C8
 for <bug-guix@HIDDEN>; Fri, 23 Jun 2017 12:41:51 -0400 (EDT)
Date: Fri, 23 Jun 2017 12:41:50 -0400
From: Leo Famulari <leo@HIDDEN>
To: bug-guix@HIDDEN
Subject: OCaml CVE-2017-9772
Message-ID: <20170623164150.GA15440@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB"
Content-Disposition: inline
User-Agent: Mutt/1.8.3 (2017-05-23)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.1 (----)


--DocE+STaALJfprDB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Our packages of OCaml 4.02.3 and 4.01.0 are vulnerable to CVE-2017-9772:

http://seclists.org/oss-sec/2017/q2/575
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9772

--DocE+STaALJfprDB
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllNRM4ACgkQJkb6MLrK
fwjhIRAAsdaeVYrsb5UAgjHljirS/54G3lbCC8faD+apw3ZoxsVWFvBcHBYwxMZg
4IbwDh/jIqskd82j5ITMB7tYFrG9VJd9GFUcT7Wy5dG5IUC0/dnRmqlH+Lj6a29H
hW1TN8MjDPNwjoAgTr6cj8FTr7jGNe4W6Lxkj3uUsegR8YREMf4jwN7h0occ298L
htob0j/NXx6OajbjRE2dyav8/jSyZI+gX9RAAqSXnsUhnRLx0ey78dVyDUAWtfSC
jaTmTq6C/GQJY8QX/DJrHTgDoOZvtKmTdygZmrdxu5EXh64R0PmO2yMzax4cojhP
pL6f1CYB/799j8GCFMBhc6J/J2h1WX2m2JFf7U1OgrdFSda2b1/Ouv0szhFWJZPd
6zlH3BKbVSLxtCY1/DUZXnWMxzTcauQvVb7VHnCeTOd3nP+I2dpkGvUnLFi7BPv8
Vg+/bI8QAh0yvpPUn75gTGxftSIXOGJgVbBySHOy4AjItzRVL3nAom3kI8xImf7X
zkHF2RFwQeXlI6BKtkOqL6u3tR0VU0785HI7oApNFe68gzb86X5YrFmraKi/vcPf
EEB/XlWnHbZrVXnuT3uXgz3HZupXO4lo9+0T/lmM1E3yQqcqLvRFDUXsrGJBwSYB
IAGvEXzfpTIlMB+pXJzqZ4Vuhq0cIJ83opaqkRx01GMZvfk8OmI=
=UZ/E
-----END PGP SIGNATURE-----

--DocE+STaALJfprDB--




Acknowledgement sent to Leo Famulari <leo@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#27463; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Thu, 27 Jul 2017 12:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.