[Pkg-javascript-devel] Bug#773671: Bug#773671: libv8-3.14: multiple security issues

Bálint Réczey balint at balintreczey.hu
Wed Jul 27 09:29:16 UTC 2016 

Hi,

2014-12-29 22:04 GMT+01:00 Moritz Mühlenhoff <jmm at inutil.org>:
> On Mon, Dec 29, 2014 at 12:28:30PM +0100, Bálint Réczey wrote:
>> Hi Moritz,
>>
>> 2014-12-29 3:01 GMT+01:00 Moritz Mühlenhoff <jmm at inutil.org>:
>> > On Sun, Dec 21, 2014 at 03:19:42PM -0500, Michael Gilbert wrote:
>> >> package: src:libv8-3.14
>> >> severity: grave
>> >> tags: security
>> >>
>> >> Hi,
>> >>
>> >> the following vulnerabilities were published for libv8-3.14.
>> >
>> > So if I'm understanding the discussion on debian-devel correctly
>> > the libv8 maintainers want to see this treated as an RC-bug.
>> > Please clarify your intentions, do you
>> >
>> > a) intent to fix these issues with patches and if that's not possible
>> > remove libv8 along with its rev deps?
>> >
>> > b) want to keep this with RC severity and tag it jessie-ignore.
>> > I would consider that rather broken since foo-ignore is used for
>> > issues which are ignored for once, but which will be addressed
>> > in release+1. I don't see the libv8 situation change upstream...
>> The rationale behind opening the RC bugs was improving transparency on
>> my side. I think more people follow bugs than the security tracker.
>
> Ok. In the past we didn't file bugs on libv8 since they were unlikely
> to be dealt with anyway. We'll file bugs for any future libv8 issues.
>
> Cheers,
>         Moritz

There seem to be people working on the security backports which
may help in keeping libv8-3.14 in better shape:

---------- Forwarded message ----------
From: Jeroen Ooms <jeroen at berkeley.edu>
Date: 2016-07-25 14:01 GMT+02:00
Subject: libv8-3.14 patches
To: Jérémy Lal <kapouer at melix.org>, Jonas Smedegaard <dr at jones.dk>,
Balint Reczey <balint at balintreczey.hu>


Hi!

I am contacting you as maintainers of the libv8-3.14 Debian package.
Thank you for your work on this package.

We have recently backported important fixes and CVE's to the 3.14
branch of V8. This was mostly done by Tom Callaway from Redhat for the
new "v8-314" rpm package in Fedora.

 - https://bugzilla.redhat.com/show_bug.cgi?id=1344415
 - https://github.com/v8-314/v8
 - https://groups.google.com/forum/#!topic/v8-dev/qm8c3Hz43bI

I thought it might be useful to point this out, perhaps some fixes
could be adopted by Debian as well. We tried to persuade the v8
developers to do an official patch release on the 3.14 branch but they
don't seem to bother.

Some background: at UC Berkeley we have developed an extensive
scientific toolkit for geospatial analysis based on libv8 which is in
use by many scientists and ecologists. However because Google keeps
breaking the v8 API it is important to use that at least the
libv8-3.14 package will remain available on popular linux
distributions.

Thanks again,

Jeroen Ooms

----8<----

The .spec file linked from the Red Hat bugzilla lists CVE-s fixed:
https://spot.fedorapeople.org/v8-314.spec

Thanks to Jeroen for contacting us.

Cheers,
Balint

More information about the Pkg-javascript-devel mailing list