[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#659149: marked as done (CVE-2012-0839: Hash collision DoS)

Your message dated Thu, 21 Jun 2012 15:36:31 +0000
with message-id <E1ShjQt-0004Uk-S5@franck.debian.org>
and subject line Bug#659149: fixed in ocaml 4.00.0~beta2-2
has caused the Debian Bug report #659149,
regarding CVE-2012-0839: Hash collision DoS
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
659149: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659149
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: ocaml
Severity: important
Tags: security

Ocaml is affected by the recently discovered class of hash collisions,
see http://www.mail-archive.com/caml-list@inria.fr/msg01477.html

Apparently there's no upstream fix yet.

Cheers,
        Moritz

--- End Message ---
--- Begin Message --- 
Source: ocaml
Source-Version: 4.00.0~beta2-2

We believe that the bug you reported is fixed in the latest version of
ocaml, which is due to be installed in the Debian FTP archive:

camlp4-extra_4.00.0~beta2-2_amd64.deb
  to main/o/ocaml/camlp4-extra_4.00.0~beta2-2_amd64.deb
camlp4_4.00.0~beta2-2_amd64.deb
  to main/o/ocaml/camlp4_4.00.0~beta2-2_amd64.deb
ocaml-base-nox_4.00.0~beta2-2_amd64.deb
  to main/o/ocaml/ocaml-base-nox_4.00.0~beta2-2_amd64.deb
ocaml-base_4.00.0~beta2-2_amd64.deb
  to main/o/ocaml/ocaml-base_4.00.0~beta2-2_amd64.deb
ocaml-compiler-libs_4.00.0~beta2-2_amd64.deb
  to main/o/ocaml/ocaml-compiler-libs_4.00.0~beta2-2_amd64.deb
ocaml-interp_4.00.0~beta2-2_amd64.deb
  to main/o/ocaml/ocaml-interp_4.00.0~beta2-2_amd64.deb
ocaml-mode_4.00.0~beta2-2_all.deb
  to main/o/ocaml/ocaml-mode_4.00.0~beta2-2_all.deb
ocaml-native-compilers_4.00.0~beta2-2_amd64.deb
  to main/o/ocaml/ocaml-native-compilers_4.00.0~beta2-2_amd64.deb
ocaml-nox_4.00.0~beta2-2_amd64.deb
  to main/o/ocaml/ocaml-nox_4.00.0~beta2-2_amd64.deb
ocaml-source_4.00.0~beta2-2_all.deb
  to main/o/ocaml/ocaml-source_4.00.0~beta2-2_all.deb
ocaml_4.00.0~beta2-2.debian.tar.gz
  to main/o/ocaml/ocaml_4.00.0~beta2-2.debian.tar.gz
ocaml_4.00.0~beta2-2.dsc
  to main/o/ocaml/ocaml_4.00.0~beta2-2.dsc
ocaml_4.00.0~beta2-2_amd64.deb
  to main/o/ocaml/ocaml_4.00.0~beta2-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659149@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stéphane Glondu <glondu@debian.org> (supplier of updated ocaml package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 Jun 2012 16:42:25 +0200
Source: ocaml
Binary: ocaml-nox camlp4 camlp4-extra ocaml ocaml-base-nox ocaml-base ocaml-native-compilers ocaml-source ocaml-interp ocaml-compiler-libs ocaml-mode
Architecture: source amd64 all
Version: 4.00.0~beta2-2
Distribution: experimental
Urgency: low
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Stéphane Glondu <glondu@debian.org>
Description: 
 camlp4     - Pre Processor Pretty Printer for OCaml
 camlp4-extra - Pre Processor Pretty Printer for OCaml - extras
 ocaml      - ML language implementation with a class-based object system
 ocaml-base - Runtime system for OCaml bytecode executables
 ocaml-base-nox - Runtime system for OCaml bytecode executables (no X)
 ocaml-compiler-libs - OCaml interpreter and standard libraries
 ocaml-interp - OCaml interactive interpreter and standard libraries
 ocaml-mode - major mode for editing Objective Caml in Emacs
 ocaml-native-compilers - Native code compilers of the OCaml suite (the .opt ones)
 ocaml-nox  - ML implementation with a class-based object system (no X)
 ocaml-source - Sources for Objective Caml
Closes: 659149
Changes: 
 ocaml (4.00.0~beta2-2) experimental; urgency=low
 .
   * Fix natdynlink detection on sparc
   * Cherry-pick an upstream fix in native compilation on powerpc
   * Fixes in the test suite:
     - use legacy -custom for lib-marshal test
     - some tests were still triggering ocamlopt even on bytecode
     - fix asmcomp tests on powerpc
     - fix symbol mangling in asmcomp tests on kfreebsd-i386 and sparc
   * Bump Standards-Version to 3.9.3
 .
 ocaml (4.00.0~beta2-1) experimental; urgency=low
 .
   * New upstream beta release
     - new "R" parameter in OCAMLRUNPARAMS to enable automatic
       randomization of the generic hash function (Closes: #659149,
       CVE-2012-0839)
     - the layout of the ocaml-compiler-libs binary package has changed
       significantly as a result of upstream installing +compiler-libs by
       itself; toplevel libraries have been moved there
   * Change the layout of the ocaml-source binary package
   * Merge changes from version 3.12.1-3
Checksums-Sha1: 
 688fa0848ba52b94777746b5d259cdef248d00ff 2687 ocaml_4.00.0~beta2-2.dsc
 17ad200f081bb2c51596f59c93ddff77b11f8ad2 55529 ocaml_4.00.0~beta2-2.debian.tar.gz
 3518bfbef52e120ccbf59536a578db664c8487af 8386864 ocaml-nox_4.00.0~beta2-2_amd64.deb
 a6996620d810cb3b8c2239d01c37b95d782139e0 21449844 camlp4_4.00.0~beta2-2_amd64.deb
 a4bde7f812b4f9865aa7855f56d24bd120ace6ea 21240602 camlp4-extra_4.00.0~beta2-2_amd64.deb
 79150138e17dd2831daa1a9567fa7bf93bdbfaa7 2414232 ocaml_4.00.0~beta2-2_amd64.deb
 ae598a0949cb94226877eb938ad3249bfd2be8d2 720344 ocaml-base-nox_4.00.0~beta2-2_amd64.deb
 dd1f869967dfdf1b08762942ceba71fef80cd9c3 141928 ocaml-base_4.00.0~beta2-2_amd64.deb
 70b8afb71986d6b13bcaf3f3c7f80ad2d3a6a180 4262996 ocaml-native-compilers_4.00.0~beta2-2_amd64.deb
 60f6b614284265b3c534b6c9efedc381ca1034f4 2816960 ocaml-source_4.00.0~beta2-2_all.deb
 d48bddbc05c944cb245257de26b08766de6ab1b6 354830 ocaml-interp_4.00.0~beta2-2_amd64.deb
 d5873a6d8d971f008235ff0effcea1b685bd3ecc 1832174 ocaml-compiler-libs_4.00.0~beta2-2_amd64.deb
 8820bb22efc43f8ef49c910365a8777781d2a611 126240 ocaml-mode_4.00.0~beta2-2_all.deb
Checksums-Sha256: 
 51640ff464498aed8ab66d7bd221159774d32b3271b50a46b7632c05e1e70ff5 2687 ocaml_4.00.0~beta2-2.dsc
 8f5834708acf0a0cd74b47e9f582e9fcbd626bd016f1cd30779d3afe3424d6ad 55529 ocaml_4.00.0~beta2-2.debian.tar.gz
 9831222b673096af788f8437c9074929b5c05540253d81655e41efde82f6e434 8386864 ocaml-nox_4.00.0~beta2-2_amd64.deb
 eceac00885d91ee07c52eb80a0c6d36a2638ad5b394d7755ce739ff3f375da50 21449844 camlp4_4.00.0~beta2-2_amd64.deb
 c97e67223b9ce46fdd194cfa49f7beff8d3ba79306bc873b9559058e24a69050 21240602 camlp4-extra_4.00.0~beta2-2_amd64.deb
 b4d784d4e1ed7765963d73df103c7c9b9a0c59f5d95f265908d3464a934e8cbc 2414232 ocaml_4.00.0~beta2-2_amd64.deb
 0f586bc2862a004d21726341773540fae48c60be3af26ec5d34c7ba6d0a6aaea 720344 ocaml-base-nox_4.00.0~beta2-2_amd64.deb
 85b78f640558b51503e7f543672151931bc4cf81aeee0ee4de17f0dde597dbab 141928 ocaml-base_4.00.0~beta2-2_amd64.deb
 b9408c50725c50c0fc013abb294f805784af07464f1e12f006ceeece4f987cd7 4262996 ocaml-native-compilers_4.00.0~beta2-2_amd64.deb
 1a1da1a5ed4f44e3a774d4918f5a1639336235c626aed8091e3232b2bfeb96c4 2816960 ocaml-source_4.00.0~beta2-2_all.deb
 5751b23eb5659d6004ab3cd69308c26446efe339c3c2d75e24f388213e84c1b6 354830 ocaml-interp_4.00.0~beta2-2_amd64.deb
 9bad57d7d00802eeae144ec03e6ce580fd073c1a2d9741e802a6c7111e7263ba 1832174 ocaml-compiler-libs_4.00.0~beta2-2_amd64.deb
 22b1254861369188c6a91b54a304d7eae0d757f9edf5e72d1e51f49604e50bbe 126240 ocaml-mode_4.00.0~beta2-2_all.deb
Files: 
 c61257d32d158ba0e897f4bbb73866eb 2687 ocaml optional ocaml_4.00.0~beta2-2.dsc
 63242ea65a35868bbcc914c447ce0f78 55529 ocaml optional ocaml_4.00.0~beta2-2.debian.tar.gz
 92ba4a93ea72938d3a90aeca762d1a9b 8386864 ocaml optional ocaml-nox_4.00.0~beta2-2_amd64.deb
 68bef5c0a830646e005cd4adc17a503c 21449844 ocaml optional camlp4_4.00.0~beta2-2_amd64.deb
 56657d097518480fd9c2a971e0a14a53 21240602 ocaml optional camlp4-extra_4.00.0~beta2-2_amd64.deb
 bb0cdf8cf4f181b604dacdfbef00a796 2414232 ocaml optional ocaml_4.00.0~beta2-2_amd64.deb
 a86d96180eb492406b5464d4b5366ffb 720344 ocaml optional ocaml-base-nox_4.00.0~beta2-2_amd64.deb
 2542798005a4d5f1fe55cf98e220d85a 141928 ocaml optional ocaml-base_4.00.0~beta2-2_amd64.deb
 ad0cddd1f7817d59c1bb770f96b8e723 4262996 ocaml optional ocaml-native-compilers_4.00.0~beta2-2_amd64.deb
 2241b2f096bf72c31e609be02535707c 2816960 ocaml optional ocaml-source_4.00.0~beta2-2_all.deb
 3e46915e6dd3340a7a95f4dde4821723 354830 ocaml optional ocaml-interp_4.00.0~beta2-2_amd64.deb
 a32b7e17e59e2cae26935546ffd9e890 1832174 ocaml optional ocaml-compiler-libs_4.00.0~beta2-2_amd64.deb
 c11c9c9efd0b73965ed5887cc2dad327 126240 ocaml optional ocaml-mode_4.00.0~beta2-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJP4ztGAAoJEHhT2k1JiBrT5s8P+wamkP66PmEqFdip9JMQNg4b
lh4cYABXxsozqXeZ2kvsvP/5vPG4Zzp+6ZODOwy0OMyQZUljQg52bdCk6L6icJf/
g0aOznTrcT+hFN/nNulvSDT3Bwa2C8FSUAFRNZjVVih1St3pe1SVe30baBgYe/li
rVoohUXRb85MgvC1tMmKR5qZj90RGxiPyHBSFwiKJQhjjAxJMKw6Y3yFBzU2ngKc
+5rgPLlYJWTby0psaieC8PQqm/Y3aVIGGd7W+0wSuzWPyng/zGfab9aSj+7DjAtm
k/SNdmKYxAmn63Dy/ovl4Ir6yGsXYSESosWzC33J798ZyfWizGBkNxyqJv5uPvM4
cMeOW5cZobsQfH+8on/fNoWhZMZJivHIZliGKnxilIglpOaj8j29kpd5Kn+MRW7E
LrVMFF0gcRq+zUloaSNcnoud+e+H72H3RxqPP2pvQcmxCaVBvXiFoVwpLJ3KmoyH
sBy/pSeVTOV0/yUPO4oej2CHFgaPdN7c8rpqutf43udMRutnXqVnHv5yJYe/phf7
S+h686vRXBy21ayiBbF0dTGBgbWTIPALBUdPARAj+SUXkl8UgbwwSBg2RJM1zPHI
vcHaUTRtSsu87tWfd1OX1VjyyjlJ8AtbjQRdtqNUxNewp12tD7zpD3zXHMmLrwC0
Oxb1S0VyAUKn4PsflWHo
=qNEo
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: