Bug#778348: release-notes: document security status for libv8/nodejs in jessie
package: release-notes
severity: important
tags: security
x-debbugs-cc: pkg-javascript-devel@lists.debian.org
Information was added about this problem to the libv8 package [0], but
it would be useful to state something in the release notes also.
Please see draft attached.
Best wishes,
Mike
[0] http://bugs.debian.org/775715
--- en/issues.dbk (revision 10629)
+++ en/issues.dbk (working copy)
@@ -45,6 +45,26 @@
packages.</para>
</section>
+<section id="libv8">
+<title>Lack of security support for the ecosystem around libv8 and nodejs</title>
+<para>
+ nodejs is built on top of libv8, which recieves a high volume of
+ security issues but there are currently no volunteers within the
+ project or the security team sufficiently interested and willing
+ to spend the large amount of time required to stem those incoming
+ issues.
+</para>
+<para>
+ Unfortunately, this means that libv8, nodejs, and the associated
+ node-* package ecosystem should not currently be used with
+ untrusted content, for example unsanitized data from the internet.
+</para>
+<para>
+ In addition, these packages will not recieve any security updates
+ during the lifetime of the jessie release.
+</para>
+</section>
+
<section id="openssh">
<title>OpenSSH server defaults to "PermitRootLogin without-password"</title>
<!-- Wheezy to Jessie -->
Reply to: