[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#778348: marked as done (release-notes: document security status for libv8/nodejs in jessie)

Your message dated Thu, 26 Mar 2015 07:50:54 +0100
with message-id <5513AC4E.1020102@thykier.net>
and subject line Re: Bug#778348: [release-notes] release-notes:document security status for libv8/nodejs in jessie - added missing tag
has caused the Debian Bug report #778348,
regarding release-notes: document security status for libv8/nodejs in jessie
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
778348: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778348
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
package: release-notes
severity: important
tags: security
x-debbugs-cc: pkg-javascript-devel@lists.debian.org

Information was added about this problem to the libv8 package [0], but
it would be useful to state something in the release notes also.
Please see draft attached.

Best wishes,
Mike

[0] http://bugs.debian.org/775715

--- en/issues.dbk	(revision 10629)
+++ en/issues.dbk	(working copy)
@@ -45,6 +45,26 @@
 packages.</para>
 </section>
 
+<section id="libv8">
+<title>Lack of security support for the ecosystem around libv8 and nodejs</title>
+<para>
+   nodejs is built on top of libv8, which recieves a high volume of
+   security issues but there are currently no volunteers within the
+   project or the security team sufficiently interested and willing
+   to spend the large amount of time required to stem those incoming
+   issues.
+</para>
+<para>
+   Unfortunately, this means that libv8, nodejs, and the associated
+   node-* package ecosystem should not currently be used with
+   untrusted content, for example unsanitized data from the internet.
+</para>
+<para>
+   In addition, these packages will not recieve any security updates
+   during the lifetime of the jessie release.
+</para>
+</section>
+
 <section id="openssh">
   <title>OpenSSH server defaults to "PermitRootLogin without-password"</title>
   <!-- Wheezy to Jessie -->

--- End Message ---
--- Begin Message --- 
On 2015-03-01 21:18, Niels Thykier wrote:
> On 2015-02-17 01:14, Stephan Beck wrote:
>> Package: release-notes
>>
>>
>> Hi,
>>
>> I added a missing tag twice and revised punctuation.
>> What I don't know is if the occurrence of "jessie" requires another tag to be
>> inserted.
>>
>> Please find attached the diff of the patch as
>> 0002-en-issues-Document-lack-of-security-support-for-Node.patch
>>
>> Good night
>>
>> Stephan Beck
>>
>>
>>
>>
> 
> Thanks, I have applied it with a few changes.
> 
> I omitted the <systemitem> around "libv8" and "Node.js" in the title, as
> they are not package names "project names".  Indeed, "Node.js" is not
> even a valid package name.  I have also changed later references to
> libv8-3.14 as that is the actual package name.
> 
> Thanks,
> ~Niels
> 

It seems there are no more remarks to this one, so I will be closing
this bug now.  Should there be further remarks, please feel free to file
a new bug.

Thanks,
~Niels

--- End Message ---
Reply to: