Bug#778348: release-notes: document security status for libv8/nodejs in jessie
Control: tags -1 pending
On 2015-02-13 22:35, Michael Gilbert wrote:
> package: release-notes
> severity: important
> tags: security
> x-debbugs-cc: pkg-javascript-devel@lists.debian.org
>
> Information was added about this problem to the libv8 package [0], but
> it would be useful to state something in the release notes also.
> Please see draft attached.
>
> Best wishes,
> Mike
>
> [0] http://bugs.debian.org/775715
>
Hi,
I have attached Michael's patch (with Stephan's typo fixes) and included
a few minor changes on top of this. The result is attached as
0001-en-issues-Document-lack-of-security-support-for-Node.patch.
Review/remarks welcome.
Thanks,
~Niels
>From b4a2d1c275bf871705d53b4861c1dd26f568f2c8 Mon Sep 17 00:00:00 2001
From: nthykier <nthykier@313b444b-1b9f-4f58-a734-7bb04f332e8d>
Date: Mon, 16 Feb 2015 08:07:01 +0000
Subject: [PATCH 1/2] en/issues: Document lack of security support for Node.js
Includes typo fixes, mark-up changes and minor word changes from
Stephan Beck <sbeck@mailbox.org> and nthykier.
Closes: #778348
Written-by: Michael Gilbert <mgilbert@debian.org>
Signed-off-by: Niels Thykier <niels@thykier.net>
git-svn-id: svn+ssh://svn.debian.org/svn/ddp/manuals/trunk/release-notes@10634 313b444b-1b9f-4f58-a734-7bb04f332e8d
---
en/issues.dbk | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/en/issues.dbk b/en/issues.dbk
index 51a144f..8b232f5 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -45,6 +45,28 @@ role="package">debian-security-support</systemitem>, introduced in
packages.</para>
</section>
+<section id="libv8">
+<title>Lack of security support for the ecosystem around libv8 and Node.js</title>
+<para>
+ The Node.js platform is built on top of libv8, which receives a
+ high volume of security issues but there are currently no
+ volunteers within the project or the security team sufficiently
+ interested and willing to spend the large amount of time required
+ to stem those incoming issues.
+</para>
+<para>
+ Unfortunately, this means that <systemitem
+ role="package">libv8</systemitem>, <systemitem
+ role="package">nodejs</systemitem>, and the associated node-*
+ package ecosystem should not currently be used with untrusted
+ content, for example unsanitized data from the internet.
+</para>
+<para>
+ In addition, these packages will not receive any security updates
+ during the lifetime of the jessie release.
+</para>
+</section>
+
<section id="openssh">
<title>OpenSSH server defaults to "PermitRootLogin without-password"</title>
<!-- Wheezy to Jessie -->
--
2.1.4
Reply to: