[Pkg-javascript-devel] Bug#773671: Bug#773671: libv8-3.14: multiple security issues
Jérémy Lal
kapouer at melix.org
Wed Jul 27 10:14:02 UTC 2016
2016-07-27 11:29 GMT+02:00 Bálint Réczey <balint at balintreczey.hu>:
> Hi,
>
> 2014-12-29 22:04 GMT+01:00 Moritz Mühlenhoff <jmm at inutil.org>:
> > On Mon, Dec 29, 2014 at 12:28:30PM +0100, Bálint Réczey wrote:
> >> Hi Moritz,
> >>
> >> 2014-12-29 3:01 GMT+01:00 Moritz Mühlenhoff <jmm at inutil.org>:
> >> > On Sun, Dec 21, 2014 at 03:19:42PM -0500, Michael Gilbert wrote:
> >> >> package: src:libv8-3.14
> >> >> severity: grave
> >> >> tags: security
> >> >>
> >> >> Hi,
> >> >>
> >> >> the following vulnerabilities were published for libv8-3.14.
> >> >
> >> > So if I'm understanding the discussion on debian-devel correctly
> >> > the libv8 maintainers want to see this treated as an RC-bug.
> >> > Please clarify your intentions, do you
> >> >
> >> > a) intent to fix these issues with patches and if that's not possible
> >> > remove libv8 along with its rev deps?
> >> >
> >> > b) want to keep this with RC severity and tag it jessie-ignore.
> >> > I would consider that rather broken since foo-ignore is used for
> >> > issues which are ignored for once, but which will be addressed
> >> > in release+1. I don't see the libv8 situation change upstream...
> >> The rationale behind opening the RC bugs was improving transparency on
> >> my side. I think more people follow bugs than the security tracker.
> >
> > Ok. In the past we didn't file bugs on libv8 since they were unlikely
> > to be dealt with anyway. We'll file bugs for any future libv8 issues.
> >
> > Cheers,
> > Moritz
>
> There seem to be people working on the security backports which
> may help in keeping libv8-3.14 in better shape:
>
> ---------- Forwarded message ----------
> From: Jeroen Ooms <jeroen at berkeley.edu>
> Date: 2016-07-25 14:01 GMT+02:00
> Subject: libv8-3.14 patches
> To: Jérémy Lal <kapouer at melix.org>, Jonas Smedegaard <dr at jones.dk>,
> Balint Reczey <balint at balintreczey.hu>
>
>
> Hi!
>
> I am contacting you as maintainers of the libv8-3.14 Debian package.
> Thank you for your work on this package.
>
> We have recently backported important fixes and CVE's to the 3.14
> branch of V8. This was mostly done by Tom Callaway from Redhat for the
> new "v8-314" rpm package in Fedora.
>
> - https://bugzilla.redhat.com/show_bug.cgi?id=1344415
> - https://github.com/v8-314/v8
> - https://groups.google.com/forum/#!topic/v8-dev/qm8c3Hz43bI
>
> I thought it might be useful to point this out, perhaps some fixes
> could be adopted by Debian as well. We tried to persuade the v8
> developers to do an official patch release on the 3.14 branch but they
> don't seem to bother.
>
> Some background: at UC Berkeley we have developed an extensive
> scientific toolkit for geospatial analysis based on libv8 which is in
> use by many scientists and ecologists. However because Google keeps
> breaking the v8 API it is important to use that at least the
> libv8-3.14 package will remain available on popular linux
> distributions.
>
> Thanks again,
>
> Jeroen Ooms
>
> ----8<----
>
> The .spec file linked from the Red Hat bugzilla lists CVE-s fixed:
> https://spot.fedorapeople.org/v8-314.spec
>
> Thanks to Jeroen for contacting us.
>
> Cheers,
> Balint
>
>
Yes, i'm busy right now, and am also currently writing a Request for Help
on solving different issues with v8/nodejs.
Jérémy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20160727/f251bc75/attachment.html>
More information about the Pkg-javascript-devel
mailing list