[Artful Aardvark] Security issue in the packaged version OCaml

Dimitri John Ledkov xnox at ubuntu.com
Mon Oct 9 09:09:31 UTC 2017


On 7 October 2017 at 16:56, Benjamin <benjamin.farinier at gmail.com> wrote:
> Hello,
>
> I am Ubuntu user working with OCaml. I am glad to see that the Artful
> Aardvark release of Ubuntu comes with the 4.04.0 release of the OCaml
> compiler. However, it appears that the 4.04.0 (and the 4.04.1) release
> contains a security flaw[1].
>
> As this security flaw is fixed in the 4.04.2 release of the compiler,
> and as this release of the compiler is fully compatible with 4.04.0,
> maybe should it be welcome to upgrade the packaged version of OCaml to
> 4.04.2?
>

ocaml is very abi sensitive, thus even a minor update like that may
trigger change of the magic provides triggering recompiles.

Also given how late in the cycle we are, it's best to handle this just
like any other security update in ubuntu - specifically doing a
targetted cherrypick of the security bugfix only.

I'm preparing such an update.

No other releases are affected as per
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9772.html

-- 
Regards,

Dimitri.




More information about the Ubuntu-devel-discuss mailing list