Re: Bug#931376: debian-security-support: mention nodejs is not for untrusted content
Hi,
On 03/07/2019 15:44, Holger Levsen wrote:
> package: debian-security-support
> x-debbugs-cc: debian-lts@lists.debian.org
>
> On Wed, Jul 03, 2019 at 02:59:39PM +0200, Sylvain Beucler wrote:
>> I just discovered this while triaging node-fstream:
>> https://www.debian.org/releases/oldstable/amd64/release-notes/ch-information.en.html#libv8
>> https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#libv8
>>
>> "Unfortunately, this means that libv8-3.14, nodejs, and the associated
>> node-* package ecosystem should not currently be used with untrusted
>> content, such as unsanitized data from the Internet.
>> In addition, these packages will not receive any security updates during
>> the lifetime of the Jessie release."
> ouch.
>
>> I'm surprised that `grep -ir node` doesn't find any match in the
>> 'debian-security-support' repo.
>> Did I miss something or is it something we should do?
> see above & thanks! :)
I see nodejs was added to "security-support-limited", then removed again
because it is supported in buster.
However there is no information about whether we support this package in
jessie (and soon stretch).
Also nodejs was recently added to dla-needed.txt.
Does LTS provide updates for nodejs/nodejs-*, and is there a place where
we can document this decision?
Cheers!
Sylvain
Reply to: