[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#931376: debian-security-support: mention nodejs is not for untrusted content


On 03/07/2019 15:44, Holger Levsen wrote:
> package: debian-security-support
> x-debbugs-cc: debian-lts@lists.debian.org
> On Wed, Jul 03, 2019 at 02:59:39PM +0200, Sylvain Beucler wrote:
>> I just discovered this while triaging node-fstream:
>> https://www.debian.org/releases/oldstable/amd64/release-notes/ch-information.en.html#libv8
>> https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#libv8
>> "Unfortunately, this means that libv8-3.14, nodejs, and the associated
>> node-* package ecosystem should not currently be used with untrusted
>> content, such as unsanitized data from the Internet.
>> In addition, these packages will not receive any security updates during
>> the lifetime of the Jessie release."
> ouch.
>> I'm surprised that `grep -ir node` doesn't find any match in the
>> 'debian-security-support' repo.
>> Did I miss something or is it something we should do?
> see above & thanks! :)

I see nodejs was added to "security-support-limited", then removed again
because it is supported in buster.

However there is no information about whether we support this package in
jessie (and soon stretch).
Also nodejs was recently added to dla-needed.txt.

Does LTS provide updates for nodejs/nodejs-*, and is there a place where
we can document this decision?


Reply to: