Skip to content

2.5.2

Latest

Choose a tag to compare

@kit-ty-kate kit-ty-kate released this 09 Jul 10:18
ad0564f

This is the release of opam 2.5.2.

Binaries and full archive are signed by the opam dev team (fingerprint 92C5 26AE 50DF 3947 0EB2 911B ED4C F1CA 67CB AA92).
To verify the authenticity of one of these files, run the following commands:

curl -fsSLO https://opam.ocaml.org/opam-dev-pubkey.pgp
gpg --import opam-dev-pubkey.pgp
gpg --verify *.sig

Please see our blog post for more details and the upgrade instructions.

Changelog:

Security fix

  • Fix a bug that allowed a package to install files anywhere on the system using a symlink to an external directory without warning the user and asking for their permission: CVE-2026-57825 / OSEC-2026-10. [#7005 @NathanReb]

Other changes