--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: release-notes: document security status for libv8/nodejs in jessie
- From: Michael Gilbert <mgilbert@debian.org>
- Date: Fri, 13 Feb 2015 16:35:45 -0500
- Message-id: <CANTw=MPaxArxO+sWn9-9jMTGvN9y8JUmsxkGP=ab8yH9dHzm-A@mail.gmail.com>
package: release-notes
severity: important
tags: security
x-debbugs-cc: pkg-javascript-devel@lists.debian.org
Information was added about this problem to the libv8 package [0], but
it would be useful to state something in the release notes also.
Please see draft attached.
Best wishes,
Mike
[0] http://bugs.debian.org/775715
--- en/issues.dbk (revision 10629)
+++ en/issues.dbk (working copy)
@@ -45,6 +45,26 @@
packages.</para>
</section>
+<section id="libv8">
+<title>Lack of security support for the ecosystem around libv8 and nodejs</title>
+<para>
+ nodejs is built on top of libv8, which recieves a high volume of
+ security issues but there are currently no volunteers within the
+ project or the security team sufficiently interested and willing
+ to spend the large amount of time required to stem those incoming
+ issues.
+</para>
+<para>
+ Unfortunately, this means that libv8, nodejs, and the associated
+ node-* package ecosystem should not currently be used with
+ untrusted content, for example unsanitized data from the internet.
+</para>
+<para>
+ In addition, these packages will not recieve any security updates
+ during the lifetime of the jessie release.
+</para>
+</section>
+
<section id="openssh">
<title>OpenSSH server defaults to "PermitRootLogin without-password"</title>
<!-- Wheezy to Jessie -->
--- End Message ---
--- Begin Message ---
On 2015-03-01 21:18, Niels Thykier wrote:
> On 2015-02-17 01:14, Stephan Beck wrote:
>> Package: release-notes
>>
>>
>> Hi,
>>
>> I added a missing tag twice and revised punctuation.
>> What I don't know is if the occurrence of "jessie" requires another tag to be
>> inserted.
>>
>> Please find attached the diff of the patch as
>> 0002-en-issues-Document-lack-of-security-support-for-Node.patch
>>
>> Good night
>>
>> Stephan Beck
>>
>>
>>
>>
>
> Thanks, I have applied it with a few changes.
>
> I omitted the <systemitem> around "libv8" and "Node.js" in the title, as
> they are not package names "project names". Indeed, "Node.js" is not
> even a valid package name. I have also changed later references to
> libv8-3.14 as that is the actual package name.
>
> Thanks,
> ~Niels
>
It seems there are no more remarks to this one, so I will be closing
this bug now. Should there be further remarks, please feel free to file
a new bug.
Thanks,
~Niels
--- End Message ---