2016-07-27 11:29 GMT+02:00 Bálint Réczey <[email protected]>: > Hi, > > 2014-12-29 22:04 GMT+01:00 Moritz Mühlenhoff <[email protected]>: > > On Mon, Dec 29, 2014 at 12:28:30PM +0100, Bálint Réczey wrote: > >> Hi Moritz, > >> > >> 2014-12-29 3:01 GMT+01:00 Moritz Mühlenhoff <[email protected]>: > >> > On Sun, Dec 21, 2014 at 03:19:42PM -0500, Michael Gilbert wrote: > >> >> package: src:libv8-3.14 > >> >> severity: grave > >> >> tags: security > >> >> > >> >> Hi, > >> >> > >> >> the following vulnerabilities were published for libv8-3.14. > >> > > >> > So if I'm understanding the discussion on debian-devel correctly > >> > the libv8 maintainers want to see this treated as an RC-bug. > >> > Please clarify your intentions, do you > >> > > >> > a) intent to fix these issues with patches and if that's not possible > >> > remove libv8 along with its rev deps? > >> > > >> > b) want to keep this with RC severity and tag it jessie-ignore. > >> > I would consider that rather broken since foo-ignore is used for > >> > issues which are ignored for once, but which will be addressed > >> > in release+1. I don't see the libv8 situation change upstream... > >> The rationale behind opening the RC bugs was improving transparency on > >> my side. I think more people follow bugs than the security tracker. > > > > Ok. In the past we didn't file bugs on libv8 since they were unlikely > > to be dealt with anyway. We'll file bugs for any future libv8 issues. > > > > Cheers, > > Moritz > > There seem to be people working on the security backports which > may help in keeping libv8-3.14 in better shape: > > ---------- Forwarded message ---------- > From: Jeroen Ooms <[email protected]> > Date: 2016-07-25 14:01 GMT+02:00 > Subject: libv8-3.14 patches > To: Jérémy Lal <[email protected]>, Jonas Smedegaard <[email protected]>, > Balint Reczey <[email protected]> > > > Hi! > > I am contacting you as maintainers of the libv8-3.14 Debian package. > Thank you for your work on this package. > > We have recently backported important fixes and CVE's to the 3.14 > branch of V8. This was mostly done by Tom Callaway from Redhat for the > new "v8-314" rpm package in Fedora. > > - https://bugzilla.redhat.com/show_bug.cgi?id=1344415 > - https://github.com/v8-314/v8 > - https://groups.google.com/forum/#!topic/v8-dev/qm8c3Hz43bI > > I thought it might be useful to point this out, perhaps some fixes > could be adopted by Debian as well. We tried to persuade the v8 > developers to do an official patch release on the 3.14 branch but they > don't seem to bother. > > Some background: at UC Berkeley we have developed an extensive > scientific toolkit for geospatial analysis based on libv8 which is in > use by many scientists and ecologists. However because Google keeps > breaking the v8 API it is important to use that at least the > libv8-3.14 package will remain available on popular linux > distributions. > > Thanks again, > > Jeroen Ooms > > ----8<---- > > The .spec file linked from the Red Hat bugzilla lists CVE-s fixed: > https://spot.fedorapeople.org/v8-314.spec > > Thanks to Jeroen for contacting us. > > Cheers, > Balint > >
Yes, i'm busy right now, and am also currently writing a Request for Help on solving different issues with v8/nodejs. Jérémy
-- Pkg-javascript-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
