[Caml-list] OCaml vs CVE-2017-9779

caml-list - the Caml user's mailing list
 help / color / mirror / Atom feed

From: Evgeny Roubinchtein <zhenya1007@gmail.com>
To: OCaml Mailing List <caml-list@inria.fr>
Subject: [Caml-list] OCaml vs CVE-2017-9779
Date: Tue, 30 Jan 2018 17:43:04 -0800	[thread overview]
Message-ID: <CAGYXaSbWu_6j5qkuEs=M-1ycs5-3SB6OhihC8Di6dwZLDbeOQA@mail.gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 1189 bytes --]

Dear OCaml users and developers,

My current employer ships an executable whose source code is written in
OCaml, and is trying to understand the security implications and mitigating
actions (if any) of CVE-2017-9779.   For the purposes of this discussion,
only the native code compiler (ocamlopt) is relevant.

The questions I would hope to get answers to are:

1. Which versions of the OCaml compiler produce executables which are
affected by the vulnerability/ies described in CVE-2017-9779?

2. What mitigation/s (if any) are suggested?

I will point out that my current employer and I are pretty confident that
we understand the issues described by CVE-2017-9772; the assumption we are
operating under is that there is a separate issue/issues that are different
from the issues covered in CVE-2017-9772.

If you would like to continue the discussion off-list, or would like to
encrypt further communication on this subject, or would like to see
non-disclosure agreements  signed in triplicate and delivered by bactrian
camels, please let me know what your requirements are: I will so inform my
employer and we'll try to accommodate.

Thank you in advance!

-- 
Best,
Evgeny ("Zhenya")

[-- Attachment #2: Type: text/html, Size: 1595 bytes --]

next             reply	other threads:[~2018-01-31  1:43 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-31  1:43 Evgeny Roubinchtein [this message]
2018-01-31  9:55 ` Daniel Bünzli
2018-01-31 10:23   ` David Allsopp
2018-01-31 14:18 ` David Allsopp

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGYXaSbWu_6j5qkuEs=M-1ycs5-3SB6OhihC8Di6dwZLDbeOQA@mail.gmail.com' \
    --to=zhenya1007@gmail.com \
    --cc=caml-list@inria.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).