[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#778348: release-notes: document security status for libv8/nodejs in jessie



package: release-notes
severity: important
tags: security
x-debbugs-cc: pkg-javascript-devel@lists.debian.org

Information was added about this problem to the libv8 package [0], but
it would be useful to state something in the release notes also.
Please see draft attached.

Best wishes,
Mike

[0] http://bugs.debian.org/775715
--- en/issues.dbk	(revision 10629)
+++ en/issues.dbk	(working copy)
@@ -45,6 +45,26 @@
 packages.</para>
 </section>
 
+<section id="libv8">
+<title>Lack of security support for the ecosystem around libv8 and nodejs</title>
+<para>
+   nodejs is built on top of libv8, which recieves a high volume of
+   security issues but there are currently no volunteers within the
+   project or the security team sufficiently interested and willing
+   to spend the large amount of time required to stem those incoming
+   issues.
+</para>
+<para>
+   Unfortunately, this means that libv8, nodejs, and the associated
+   node-* package ecosystem should not currently be used with
+   untrusted content, for example unsanitized data from the internet.
+</para>
+<para>
+   In addition, these packages will not recieve any security updates
+   during the lifetime of the jessie release.
+</para>
+</section>
+
 <section id="openssh">
   <title>OpenSSH server defaults to "PermitRootLogin without-password"</title>
   <!-- Wheezy to Jessie -->

Reply to: