CVE-2012-0839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0839): OCaml 3.12.1 and earlier computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. More information: http://www.mail-archive.com/caml-list@inria.fr/msg01477.html
I dont understand what you expect here, ocaml is a language and dev-lang/ocaml its compiler and interpreter; you wouldnt blame gcc because 'while(1)' is allowed in C...
things like this can be relevant though, but its rather at application level than compiler level: 011-12-30 Gerd Stolpmann <gerd@gerd-stolpmann.de> * Security: adding limit max_arguments to Netcgi. This is more a general measure of precaution against DoS attacks where a specially crafted POST request contains many keys that collide massively in the hash table. Actually, Ocamlnet is not directly vulnerable; however, application programs can nevertheless be when they access a degenerated hash table. (changelog of dev-ml/ocamlnet-3.5)
(In reply to comment #2) > things like this can be relevant though, but its rather at application level > than compiler level: > > 011-12-30 Gerd Stolpmann <gerd@gerd-stolpmann.de> > > * Security: adding limit max_arguments to Netcgi. This is more > a general measure of precaution against DoS attacks where > a specially crafted POST request contains many keys that > collide massively in the hash table. Actually, Ocamlnet is > not directly vulnerable; however, application programs can > nevertheless be when they access a degenerated hash table. > > (changelog of dev-ml/ocamlnet-3.5) Thanks for this. Can we move forward and stabilize =dev-ml/ocamlnet-3.5?
(In reply to comment #3) > Thanks for this. Can we move forward and stabilize =dev-ml/ocamlnet-3.5? yes
Arches, please test and mark stable: =dev-ml/ocamlnet-3.5 Target keywords : "amd64 ppc x86"
amd64 stable
x86 stable
ppc stable
Thanks, everyone. GLSA vote: yes.
GLSA Vote: no.
NO too, closing.