Hi Leo,
On 24/06/17 02:41, Leo Famulari wrote:
Our package ocaml-4.01 is vulnerable to CVE-2015-8869, which we patched in the primary ocaml package in April 2016. Unfortunately, this patch was not included when the ocaml-4.01 package was created in January 2017. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869 Do we need this older version of OCaml? If so, we need a volunteer to maintain it.
Thanks for pointing this out. AFAIK OCaml 4.01 is really only used to build pplacer, a bioinformatics program. I was planning on submitting 3 further bioinformatic packages soon which rely on pplacer, however.
I'm not sure I have the bandwidth to backport patches to such an old release, especially since the OCaml maintainers do not appear to be either, AFAICS.
This is a little frustrating, but perhaps they should be removed. WDYT? ben
