[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#27462: OCaml CVE-2015-8869
From: |
Julien Lepiller |
Subject: |
bug#27462: OCaml CVE-2015-8869 |
Date: |
Wed, 20 Feb 2019 09:39:20 +0100 |
User-agent: |
K-9 Mail for Android |
Le 19 février 2019 23:17:52 GMT+01:00, Andreas Enge <address@hidden> a écrit :
>On Thu, Jan 31, 2019 at 06:30:27PM +0100, Julien Lepiller wrote:
>> I still care about ocaml-4.02, but I could probably update it to
>ocaml-4.04 without breaking dependents.
>
>Commits 2e125ece093ef842ca017ffb146cbc5fa33f2f75 and
>4982c0c98deecea0d4f69f14ea28cab53b5f2123 remove address@hidden, pplacer and
>all other dependent packages.
>
>Is address@hidden really needed? It would be nice to get rid of a package
>with CVE.
>
>Andreas
At this point, we only need it for bap and dependencies. I've added
dependencies for the latest bap commit that work with the latest ocaml, but
they haven't released a new version yet. Can we wait a bit longer?
Another solution would be to jump to ocaml 4.05 and re-package another version
of ~50 dependencies. I don't really want to do that…