Your message dated Tue, 16 Jun 2026 19:51:46 +0000
with message-id <[email protected]>
and subject line Bug#1129317: fixed in ocaml 5.4.1-1
has caused the Debian Bug report #1129317,
regarding ocaml: CVE-2026-28364
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129317: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129317
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ocaml
Version: 5.4.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ocaml.
CVE-2026-28364[0]:
| In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in
| Marshal deserialization (runtime/intern.c) enables remote code
| execution through a multi-phase attack chain. The vulnerability
| stems from missing bounds validation in the readblock() function,
| which performs unbounded memcpy() operations using attacker-
| controlled lengths from crafted Marshal data.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-28364
https://www.cve.org/CVERecord?id=CVE-2026-28364
[1] https://osv.dev/vulnerability/OSEC-2026-01
[2]
https://github.com/ocaml/ocaml/commit/e3919fef436f89271bc30bbe8592851f7289fb68
[3]
https://github.com/ocaml/ocaml/commit/b0a2614684a52acded784ec213f14ddfe085d146
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ocaml
Source-Version: 5.4.1-1
Done: Stéphane Glondu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ocaml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stéphane Glondu <[email protected]> (supplier of updated ocaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Jun 2026 21:25:11 +0200
Source: ocaml
Architecture: source
Version: 5.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OCaml Maintainers <[email protected]>
Changed-By: Stéphane Glondu <[email protected]>
Closes: 1129317
Changes:
ocaml (5.4.1-1) unstable; urgency=medium
.
* New upstream release (Closes: #1129317, CVE-2026-28364)
* Stabilize compiler-libs ABI by not including config.cmx
* Print .cmi flags in objinfo
* Bump Standards-Version to 4.7.3
* Remove Priority field from debian/control
Checksums-Sha1:
74de430a6549fcf93ca64c6396e7dc37e46b9d5e 2294 ocaml_5.4.1-1.dsc
9d60a874e203b6747ab296f370235b9f685fa738 39908 ocaml_5.4.1-1.debian.tar.xz
Checksums-Sha256:
5797b5b6622d37e76f3d8c3ff219825dfc6e42b4ac6a596bf2c5648d0ba98a69 2294
ocaml_5.4.1-1.dsc
328cedd66b3a6b12d29197bb7e3858eb136bb2fc466da83084a6c0e0036feb90 39908
ocaml_5.4.1-1.debian.tar.xz
Files:
9c0c179c33a0e9ef026a978acf349cf8 2294 ocaml optional ocaml_5.4.1-1.dsc
e9f215239b19a887560b4d8982f18b7b 39908 ocaml optional
ocaml_5.4.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQFGBAEBCgAwFiEEbeJOl+yohsxW5iUOIbju8bGJMIEFAmoxo+gSHGdsb25kdUBk
ZWJpYW4ub3JnAAoJECG47vGxiTCB3pYH/iqEi4l1Rjww+mx2gzsQrc2jFpyfoCS4
TguYDZrvWW1uKayO/ZiOCx7GVZbKjWMxiiTyY+Rtzi1FiAf2nxK/8TNlUIx1cz76
vIkTP5LzV3tBPn0uybVKwyYZvPt3HAPxAoRvIlDjsbyXToxQlP8j2TDCBK+pNw0B
3tuAqbIKps1ZIuzRUoQq1/8NQHebKwn8O3PGCzz+mdZ4NpZDHo/7gU93fYkNPpi1
1nvgjJ2urk1WEJFXDnlKIA0E4gwkHZE1xFSX7pmXOzDUspEMA7wTP29i5FgbEqeq
vXwP+tW4t039NBai6O2NLMHptIdEQWwMVtQGK9szJXROfERcrDOKArg=
=Yfu2
-----END PGP SIGNATURE-----
pgpiwwGDrO0VX.pgp
Description: PGP signature
--- End Message ---
