[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#931376: debian-security-support: mention nodejs is not for untrusted content

package: debian-security-support
x-debbugs-cc: debian-lts@lists.debian.org

On Wed, Jul 03, 2019 at 02:59:39PM +0200, Sylvain Beucler wrote:
> I just discovered this while triaging node-fstream:
> https://www.debian.org/releases/oldstable/amd64/release-notes/ch-information.en.html#libv8
> https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#libv8
> "Unfortunately, this means that libv8-3.14, nodejs, and the associated
> node-* package ecosystem should not currently be used with untrusted
> content, such as unsanitized data from the Internet.
> In addition, these packages will not receive any security updates during
> the lifetime of the Jessie release."


> I'm surprised that `grep -ir node` doesn't find any match in the
> 'debian-security-support' repo.
> Did I miss something or is it something we should do?

see above & thanks! :)


       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

Attachment: signature.asc
Description: PGP signature

Reply to: