openSUSE has issued an advisory today (April 24): https://lists.opensuse.org/opensuse-updates/2018-04/msg00070.html Mageia 5 and Mageia 6 are also affected. The SUSE bug has details: https://bugzilla.suse.com/show_bug.cgi?id=1088591
Whiteboard: (none) => MGA6TOO
Assigning to all pkgrs collectively, since there is no registered maintainer for this pkg
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Status comment: (none) => Patches available from openSUSE and upstream
David Geiger fixed this in Cauldron in ocaml-4.06.0-4.mga7 on May 5.
Version: Cauldron => 6CC: (none) => geiger.david68210Whiteboard: MGA6TOO => (none)
openSUSE advisory for this on June 6: https://lists.opensuse.org/opensuse-updates/2018-06/msg00016.html
Suggested advisory: ======================== The updated packages fix a security vulnerability: The caml_ba_deserialize function in byterun/bigarray.c in the standard library in OCaml 4.06.0 has an integer overflow which, in situations where marshalled data is accepted from an untrusted source, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted object. (CVE-2018-9838) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9838 https://lists.opensuse.org/opensuse-updates/2018-04/msg00070.html https://bugzilla.suse.com/show_bug.cgi?id=1088591 https://lists.opensuse.org/opensuse-updates/2018-06/msg00016.html ======================== Updated packages in core/updates_testing: ======================== ocaml-4.02.3-6.1.mga6 ocaml-compiler-4.02.3-6.1.mga6 ocaml-doc-4.02.3-6.1.mga6 ocaml-x11-4.02.3-6.1.mga6 ocaml-sources-4.02.3-6.1.mga6 ocaml-compiler-libs-4.02.3-6.1.mga6 from SRPMS: ocaml-4.02.3-6.1.mga6.src.rpm
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2018-9838Source RPM: ocaml-4.06.0-3.mga7.src.rpm => ocaml-4.02.3-6.mga6.src.rpm
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Found in bug 18296 link to http://ocaml.org/learn/tutorials/basics.html and did two simple tests: $ ocaml OCaml version 4.02.3 # 1+1;; - : int = 2 and $ mkdir my_ocamlproject $ cd my_ocamlproject $ echo 'let () = print_endline "Hello, World!"' > my_prog.ml $ ls my_prog.ml $ more my_prog.ml let () = print_endline "Hello, World!" $ ocamlbuild my_prog.native Finished, 4 targets (0 cached) in 00:00:01. $ ./my_prog.native Hello, World! That all looks OK.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Out of my depth here, so checking 64-bit for installation issues only. Had to install ocaml and dependencies, no issues. Used the list from Comment 4 in qarepo, resulting in updates for ocaml, ocaml-compiler, and ocaml-x11. Again, no installation issues. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0124.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED