Hi, The following vulnerability was published for ocaml. CVE-2026-28364[0]: | In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in | Marshal deserialization (runtime/intern.c) enables remote code | execution through a multi-phase attack chain. The vulnerability | stems from missing bounds validation in the readblock() function, | which performs unbounded memcpy() operations using attacker- | controlled lengths from crafted Marshal data. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-28364 https://www.cve.org/CVERecord?id=CVE-2026-28364 [1] https://osv.dev/vulnerability/OSEC-2026-01 [2] https://github.com/ocaml/ocaml/commit/e3919fef436f89271bc30bbe8592851f7289fb68 [3] https://github.com/ocaml/ocaml/commit/b0a2614684a52acded784ec213f14ddfe085d146 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of ocaml, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1129317@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stéphane Glondu <glondu@debian.org> (supplier of updated ocaml package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Mon, 02 Mar 2026 08:28:58 +0100 Source: ocaml Architecture: source Version: 5.4.1-1~exp1 Distribution: experimental Urgency: medium Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org> Changed-By: Stéphane Glondu <glondu@debian.org> Closes: 1129317 Changes: ocaml (5.4.1-1~exp1) experimental; urgency=medium . * New upstream release (Closes: #1129317, CVE-2026-28364) * Stabilize compiler-libs ABI by not including config.cmx * Print .cmi flags in objinfo * Bump Standards-Version to 4.7.3 * Remove Priority field from debian/control Checksums-Sha1: 4a3c173cd53d2139828666f2e1dac5ec9b93b599 2319 ocaml_5.4.1-1~exp1.dsc 6fcf64b8519f47d90e35c501f64bba154ce3a2e8 4483716 ocaml_5.4.1.orig.tar.xz 1b55ec46c517ffd72ed3a60a992a80e34e0df724 39944 ocaml_5.4.1-1~exp1.debian.tar.xz Checksums-Sha256: 17b7d8cd7c97a8f4bc0abcf45eadf5d1fa92d5235f189c0eaf1fb7487ebb8c12 2319 ocaml_5.4.1-1~exp1.dsc b1e297adc186635540758eb064c7fab025598ae4436f3b9767e5025188b4e0ab 4483716 ocaml_5.4.1.orig.tar.xz 0c089b230b2e91f6551c6f60e7272873ec4743e8d5593bf69be66fe653a50152 39944 ocaml_5.4.1-1~exp1.debian.tar.xz Files: 4cb93082ca63f27a67f4ef4f026a68b2 2319 ocaml optional ocaml_5.4.1-1~exp1.dsc 4588be6c34939f15fdc37c3a230cea9d 4483716 ocaml optional ocaml_5.4.1.orig.tar.xz 9821dde5c0bdaab82d1bd6edab5541fe 39944 ocaml optional ocaml_5.4.1-1~exp1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQFGBAEBCgAwFiEEbeJOl+yohsxW5iUOIbju8bGJMIEFAmmlPrMSHGdsb25kdUBk ZWJpYW4ub3JnAAoJECG47vGxiTCB/JoH/AjzXnxqiZv1qVlxUwTgHtbYStiOkwYC 3ijHP/vB2WVixEonhbJbhEFKxkCeFnP3YdhEnXqHY+GyJma9qwm5LZbWWAQTJTot m3WqsJxg1fSZID7YC7smnrBwLPXnUgqRd+/X+/z5x1F+0IzNhzQ2mIdD28hJ4Cos LCPVQ2SsVRkHMVgkeGLKfeRCBqVfrbDKVlS9UEEjWcEjIfemclp8Uf9b5ol0lwOQ bWGYIT0I2y+R4bfMbpYUczJ2roDC8+sAxjEFpaRMV4SNtYDj3jB6OSYJLpIqqyIw obb9rHPlAVbSzTXncTih2ggXloFjGSNphVcdQ2L8FZnq42zfktwlcMU= =ox+/ -----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of ocaml, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1129317@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stéphane Glondu <glondu@debian.org> (supplier of updated ocaml package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Tue, 16 Jun 2026 21:25:11 +0200 Source: ocaml Architecture: source Version: 5.4.1-1 Distribution: unstable Urgency: medium Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org> Changed-By: Stéphane Glondu <glondu@debian.org> Closes: 1129317 Changes: ocaml (5.4.1-1) unstable; urgency=medium . * New upstream release (Closes: #1129317, CVE-2026-28364) * Stabilize compiler-libs ABI by not including config.cmx * Print .cmi flags in objinfo * Bump Standards-Version to 4.7.3 * Remove Priority field from debian/control Checksums-Sha1: 74de430a6549fcf93ca64c6396e7dc37e46b9d5e 2294 ocaml_5.4.1-1.dsc 9d60a874e203b6747ab296f370235b9f685fa738 39908 ocaml_5.4.1-1.debian.tar.xz Checksums-Sha256: 5797b5b6622d37e76f3d8c3ff219825dfc6e42b4ac6a596bf2c5648d0ba98a69 2294 ocaml_5.4.1-1.dsc 328cedd66b3a6b12d29197bb7e3858eb136bb2fc466da83084a6c0e0036feb90 39908 ocaml_5.4.1-1.debian.tar.xz Files: 9c0c179c33a0e9ef026a978acf349cf8 2294 ocaml optional ocaml_5.4.1-1.dsc e9f215239b19a887560b4d8982f18b7b 39908 ocaml optional ocaml_5.4.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQFGBAEBCgAwFiEEbeJOl+yohsxW5iUOIbju8bGJMIEFAmoxo+gSHGdsb25kdUBk ZWJpYW4ub3JnAAoJECG47vGxiTCB3pYH/iqEi4l1Rjww+mx2gzsQrc2jFpyfoCS4 TguYDZrvWW1uKayO/ZiOCx7GVZbKjWMxiiTyY+Rtzi1FiAf2nxK/8TNlUIx1cz76 vIkTP5LzV3tBPn0uybVKwyYZvPt3HAPxAoRvIlDjsbyXToxQlP8j2TDCBK+pNw0B 3tuAqbIKps1ZIuzRUoQq1/8NQHebKwn8O3PGCzz+mdZ4NpZDHo/7gU93fYkNPpi1 1nvgjJ2urk1WEJFXDnlKIA0E4gwkHZE1xFSX7pmXOzDUspEMA7wTP29i5FgbEqeq vXwP+tW4t039NBai6O2NLMHptIdEQWwMVtQGK9szJXROfERcrDOKArg= =Yfu2 -----END PGP SIGNATURE-----