On 7 October 2017 at 16:56, Benjamin <[email protected]> wrote: > Hello, > > I am Ubuntu user working with OCaml. I am glad to see that the Artful > Aardvark release of Ubuntu comes with the 4.04.0 release of the OCaml > compiler. However, it appears that the 4.04.0 (and the 4.04.1) release > contains a security flaw[1]. > > As this security flaw is fixed in the 4.04.2 release of the compiler, > and as this release of the compiler is fully compatible with 4.04.0, > maybe should it be welcome to upgrade the packaged version of OCaml to > 4.04.2? >
ocaml is very abi sensitive, thus even a minor update like that may trigger change of the magic provides triggering recompiles. Also given how late in the cycle we are, it's best to handle this just like any other security update in ubuntu - specifically doing a targetted cherrypick of the security bugfix only. I'm preparing such an update. No other releases are affected as per https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9772.html -- Regards, Dimitri. -- Ubuntu-devel-discuss mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
