[Bug 1837038] Re: Broken and defunct libv8-3.14 urgently needs removal
This has been removed from eoan pursuant to its removal from Debian. Debian removal comment: ROM; outdated and useless library; Debian bug #934734 ** Changed in: libv8-3.14 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837038 Title: Broken and defunct libv8-3.14 urgently needs removal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libv8-3.14/+bug/1837038/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837038] Re: Broken and defunct libv8-3.14 urgently needs removal
Also removed from Ubuntu Eoan recently (https://launchpad.net/ubuntu/+source/libv8-3.14/+publishinghistory) I see Disco (19.04) was mentioned above, though I don't know if packages can/will be removed from non-development releases. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837038 Title: Broken and defunct libv8-3.14 urgently needs removal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libv8-3.14/+bug/1837038/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837038] Re: Broken and defunct libv8-3.14 urgently needs removal
It looks like the problem has been solved upstream by Debian who has removed this package from sid. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837038 Title: Broken and defunct libv8-3.14 urgently needs removal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libv8-3.14/+bug/1837038/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837038] Re: Broken and defunct libv8-3.14 urgently needs removal
Oh! Jeroen! I'm sorry I didn't notice who reported this bug when responding earlier. :) Hello again, it's good to hear from you. Thanks for the details. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837038 Title: Broken and defunct libv8-3.14 urgently needs removal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libv8-3.14/+bug/1837038/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837038] Re: Broken and defunct libv8-3.14 urgently needs removal
In the latest versions of Debian/Ubuntu, postgresql-10-plv8 has already been removed and r-cran-v8 has been ported to use the working v8 provided by libnode: https://packages.ubuntu.com/eoan/r-cran-v8 So this only leaves 'uwsgi-plugin-v8'. In Debian this package has been removed from the stable distributions, but it is still in 'unstable'. I am not sure what this package does but it can not possibly work because libv8-314 crashes when you try to initiate it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837038 Title: Broken and defunct libv8-3.14 urgently needs removal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libv8-3.14/+bug/1837038/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837038] Re: Broken and defunct libv8-3.14 urgently needs removal
On my Bionic box, I see there's a few direct reverse dependencies: $ apt-rdepends --reverse libv8-3.14.5 Reading package lists... Done Building dependency tree Reading state information... Done libv8-3.14.5 Reverse Depends: libv8-3.14-dbg (= 3.14.5.8-11ubuntu1) Reverse Depends: libv8-3.14-dev (= 3.14.5.8-11ubuntu1) Reverse Depends: libv8-dev (= 3.14.5.8-11ubuntu1) Reverse Depends: postgresql-10-plv8 (1:1.4.10.ds-2) Reverse Depends: r-cran-v8 (1.5-1) Reverse Depends: uwsgi-plugin-v8 (2.0.15+10+0.0.3) libv8-3.14-dbg libv8-3.14-dev libv8-dev postgresql-10-plv8 Reverse Depends: postgresql-10-plv8-dbgsym (= 1:1.4.10.ds-2) postgresql-10-plv8-dbgsym r-cran-v8 Reverse Depends: r-cran-v8-dbgsym (= 1.5-1) r-cran-v8-dbgsym uwsgi-plugin-v8 Reverse Depends: uwsgi-plugin-v8-dbgsym (= 2.0.15+10+0.0.3) uwsgi-plugin-v8-dbgsym $ acsh postgresql-10-plv8 Package: postgresql-10-plv8 Architecture: amd64 Version: 1:1.4.10.ds-2 Priority: extra Section: universe/database Source: plv8 Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Debian PostgreSQL Maintainers Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 131 Provides: postgresql-plv8 Depends: postgresql-10, libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5.2), libv8-3.14.5 Filename: pool/universe/p/plv8/postgresql-10-plv8_1.4.10.ds-2_amd64.deb Size: 47592 MD5sum: 84d40c9333535f5fee482e59ea398eab SHA1: 7f05205564529b1962a343e3ac640d3b35c03697 SHA256: 2af68464c9b39f8af33c79e17b9c3ef65cb7e37d56d39efbe48bf166394bdd9e Homepage: https://github.com/plv8/plv8 Description-en: Procedural language interface between PostgreSQL and JavaScript V8 is a high performance JavaScript engine written in C++. It is used in the document-oriented data store MongoDB. . PostgreSQL is an open source SQL database server. . This package provides a procedural language interface to JavaScript from PostgreSQL. Procedural languages are used to write functions which can be called in database queries. Description-md5: cb193632a564b400b3bf3ac64a8d0cec $ acsh r-cran-v8 Package: r-cran-v8 Architecture: amd64 Version: 1.5-1 Priority: optional Section: universe/gnu-r Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: Debian Science Maintainers Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 1007 Depends: r-base-core (>= 3.4.2-1ubuntu2), r-api-3.4, r-cran-rcpp (>= 0.12), r-cran-jsonlite (>= 1.0), r-cran-curl (>= 1.0), libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 5.2), libv8-3.14.5, libjs-underscore Suggests: r-cran-testthat, r-cran-knitr Filename: pool/universe/r/r-cran-v8/r-cran-v8_1.5-1_amd64.deb Size: 301824 MD5sum: 4daf6d2a1519b20ae1ade180d74a8838 SHA1: 413de1e91f504000b84f5a4b6c678542b980 SHA256: 946c15c739b2cdf19f0edbd226a89e380ecbc8bd5b57244adde5653f4550d883 Homepage: https://cran.r-project.org/package=V8 Description-en: Embedded JavaScript Engine for R An R interface to Google's open source JavaScript engine. V8 is written in C++ and implements ECMAScript as specified in ECMA-262, 5th edition. In addition, this package implements typed arrays as specified in ECMA 6 used for high-performance computing and libraries compiled with 'emscripten'. Description-md5: b94ca5d24c7a9346a44c0d63937229cf $ acsh uwsgi-plugin-v8 Package: uwsgi-plugin-v8 Architecture: amd64 Version: 2.0.15+10+0.0.3 Priority: extra Section: universe/web Source: uwsgi-plugin-v8 (0.0.3) Origin: Ubuntu Maintainer: Ubuntu Developers Original-Maintainer: uWSGI packaging team Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 60 Depends: libc6 (>= 2.14), libgcc1 (>= 1:3.0), libstdc++6 (>= 4.1.1), libv8-3.14.5, uwsgi-abi-8ecc7b0491fca07eb2d7b0c9aaeb180f Filename: pool/universe/u/uwsgi-plugin-v8/uwsgi-plugin-v8_2.0.15+10+0.0.3_amd64.deb Size: 25292 MD5sum: 4acbbf106375e562bf7334ce7ea2d95c SHA1: 7850bf86eb6d81105fd333085079741e61d0d606 SHA256: 27a7f591b3dcace6ad826d8578bdc36814b20e6c833bedf7e39be5a863916621 Homepage: https://uwsgi-docs.readthedocs.io/en/latest/ Description-en: JavaScript V8 plugin for uWSGI uWSGI presents a complete stack for networked/clustered web applications, implementing message/object passing, caching, RPC and process management. It is designed to be fully modular. This means that different plugins can be used in order to add compatibility with tons of different technology on top of the same core. . This package provides V8 plugin for uWSGI. Description-md5: b911def1bbb742940a1e5f65e79771b3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837038 Title: Broken and defunct libv8-3.14 urgently needs removal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libv8-3.14/+bug/1837038/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837038] Re: Broken and defunct libv8-3.14 urgently needs removal
Is there somebody that can take a look at this? Again libv8-3.14 crashes on start, has a lot of security issues and has been removed from Debian stable. What's worse is that libv8-3.14 is masking the working version of libv8-dev from libnode-dev. Copying from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773671: The following vulnerabilities were published for libv8-3.14. CVE-2013-2632[0]: | Google V8 before 3.17.13, as used in Google Chrome before 27.0.1444.3, | allows remote attackers to cause a denial of service (application | crash) or possibly have unspecified other impact via crafted | JavaScript code, as demonstrated by the Bejeweled game. CVE-2013-2838[1]: | Google V8, as used in Google Chrome before 27.0.1453.93, allows remote | attackers to cause a denial of service (out-of-bounds read) via | unspecified vectors. CVE-2013-2882[2]: | Google V8, as used in Google Chrome before 28.0.1500.95, allows remote | attackers to cause a denial of service or possibly have unspecified | other impact via vectors that leverage "type confusion." CVE-2013-2919[3]: | Google V8, as used in Google Chrome before 30.0.1599.66, allows remote | attackers to cause a denial of service (memory corruption) or possibly | have unspecified other impact via unknown vectors. CVE-2013-6638[4]: | Multiple buffer overflows in runtime.cc in Google V8 before 3.22.24.7, | as used in Google Chrome before 31.0.1650.63, allow remote attackers | to cause a denial of service or possibly have unspecified other impact | via vectors that trigger a large typed array, related to the (1) | Runtime_TypedArrayInitialize and (2) | Runtime_TypedArrayInitializeFromArrayLike functions. CVE-2013-6639[5]: | The DehoistArrayIndex function in hydrogen-dehoist.cc (aka | hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome | before 31.0.1650.63, allows remote attackers to cause a denial of | service (out-of-bounds write) or possibly have unspecified other | impact via JavaScript code that sets the value of an array element | with a crafted index. CVE-2013-6640[6]: | The DehoistArrayIndex function in hydrogen-dehoist.cc (aka | hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome | before 31.0.1650.63, allows remote attackers to cause a denial of | service (out-of-bounds read) via JavaScript code that sets a variable | to the value of an array element with a crafted index. CVE-2013-6649[7]: | Use-after-free vulnerability in the RenderSVGImage::paint function in | core/rendering/svg/RenderSVGImage.cpp in Blink, as used in Google | Chrome before 32.0.1700.102, allows remote attackers to cause a denial | of service or possibly have unspecified other impact via vectors | involving a zero-size SVG image. CVE-2013-6650[8]: | The StoreBuffer::ExemptPopularPages function in store-buffer.cc in | Google V8 before 3.22.24.16, as used in Google Chrome before | 32.0.1700.102, allows remote attackers to cause a denial of service | (memory corruption) or possibly have unspecified other impact via | vectors that trigger incorrect handling of "popular pages." CVE-2013-6668[9]: | Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, | as used in Google Chrome before 33.0.1750.146, allow attackers to | cause a denial of service or possibly have other impact via unknown | vectors. CVE-2014-1704[10]: | Multiple unspecified vulnerabilities in Google V8 before 3.23.17.18, | as used in Google Chrome before 33.0.1750.149, allow attackers to | cause a denial of service or possibly have other impact via unknown | vectors. CVE-2014-1705[11]: | Google V8, as used in Google Chrome before 33.0.1750.152 on OS X and | Linux and before 33.0.1750.154 on Windows, allows remote attackers to | cause a denial of service (memory corruption) or possibly have | unspecified other impact via unknown vectors. CVE-2014-1716[12]: | Cross-site scripting (XSS) vulnerability in the Runtime_SetPrototype | function in runtime.cc in Google V8, as used in Google Chrome before | 34.0.1847.116, allows remote attackers to inject arbitrary web script | or HTML via unspecified vectors, aka "Universal XSS (UXSS)." CVE-2014-1717[13]: | Google V8, as used in Google Chrome before 34.0.1847.116, does not | properly use numeric casts during handling of typed arrays, which | allows remote attackers to cause a denial of service (out-of-bounds | array access) or possibly have unspecified other impact via crafted | JavaScript code. CVE-2014-1717[14]: | Google V8, as used in Google Chrome before 34.0.1847.116, does not | properly use numeric casts during handling of typed arrays, which | allows remote attackers to cause a denial of service (out-of-bounds | array access) or possibly have unspecified other impact via crafted | JavaScript code. CVE-2014-1729[15]: | Multiple unspecified vulnerabilities in Google V8 before 3.24.35.22, | as used in Google Chrome before 34.0.1847.116, allow attackers to | cause a denial of service or possibly have other impact via
[Bug 1837038] Re: Broken and defunct libv8-3.14 urgently needs removal
Thank you! Indeed, the Debian maintainer (Jérémy Lal) told me he is in the process of removing libv8-3.14 entirely as well, but they need to deal with the last reverse dependency (uwsgi-plugin-v8). But for them it's less of an urgent issue because they have already removed it from stable branches. However for Ubuntu it is currently still affecting releases. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837038 Title: Broken and defunct libv8-3.14 urgently needs removal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libv8-3.14/+bug/1837038/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837038] Re: Broken and defunct libv8-3.14 urgently needs removal
Thanks for reporting. I've subscribed the Ubuntu archive admins to take a look at this. Just a note: while the package was removed from Debian stable/testing, it looks like it is still present in unstable https://tracker.debian.org/pkg/libv8-3.14. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837038 Title: Broken and defunct libv8-3.14 urgently needs removal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libv8-3.14/+bug/1837038/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs