Re: [Pkg-javascript-devel] Bug#778348: release-notes: document security status for libv8/nodejs in jessie
Hi, I see your mail wrong, so here is a forward with the correct mail. ~Niels Forwarded Message Subject: Re: Bug#778348: release-notes: document security status for libv8/nodejs in jessie Date: Mon, 16 Feb 2015 09:11:33 +0100 From: Niels Thykier ni...@thykier.net To: Michael Gilbert mgilb...@debian.org, 778...@bugs.debian.org, sb...@mailbox.org CC: pkg-javascript-de...@lists.debian.org Control: tags -1 pending On 2015-02-13 22:35, Michael Gilbert wrote: package: release-notes severity: important tags: security x-debbugs-cc: pkg-javascript-de...@lists.debian.org Information was added about this problem to the libv8 package [0], but it would be useful to state something in the release notes also. Please see draft attached. Best wishes, Mike [0] http://bugs.debian.org/775715 Hi, I have attached Michael's patch (with Stephan's typo fixes) and included a few minor changes on top of this. The result is attached as 0001-en-issues-Document-lack-of-security-support-for-Node.patch. Review/remarks welcome. Thanks, ~Niels From b4a2d1c275bf871705d53b4861c1dd26f568f2c8 Mon Sep 17 00:00:00 2001 From: nthykier nthykier@313b444b-1b9f-4f58-a734-7bb04f332e8d Date: Mon, 16 Feb 2015 08:07:01 + Subject: [PATCH 1/2] en/issues: Document lack of security support for Node.js Includes typo fixes, mark-up changes and minor word changes from Stephan Beck sb...@mailbox.org and nthykier. Closes: #778348 Written-by: Michael Gilbert mgilb...@debian.org Signed-off-by: Niels Thykier ni...@thykier.net git-svn-id: svn+ssh://svn.debian.org/svn/ddp/manuals/trunk/release-notes@10634 313b444b-1b9f-4f58-a734-7bb04f332e8d --- en/issues.dbk | 22 ++ 1 file changed, 22 insertions(+) diff --git a/en/issues.dbk b/en/issues.dbk index 51a144f..8b232f5 100644 --- a/en/issues.dbk +++ b/en/issues.dbk @@ -45,6 +45,28 @@ role=packagedebian-security-support/systemitem, introduced in packages./para /section +section id=libv8 +titleLack of security support for the ecosystem around libv8 and Node.js/title +para + The Node.js platform is built on top of libv8, which receives a + high volume of security issues but there are currently no + volunteers within the project or the security team sufficiently + interested and willing to spend the large amount of time required + to stem those incoming issues. +/para +para + Unfortunately, this means that systemitem + role=packagelibv8/systemitem, systemitem + role=packagenodejs/systemitem, and the associated node-* + package ecosystem should not currently be used with untrusted + content, for example unsanitized data from the internet. +/para +para + In addition, these packages will not receive any security updates + during the lifetime of the jessie release. +/para +/section + section id=openssh titleOpenSSH server defaults to PermitRootLogin without-password/title !-- Wheezy to Jessie -- -- 2.1.4 ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#778568: unblock: node-findit2/2.2.3-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package node-findit2 The package build-depends on node-tap, a buggy package. However, this dependency is strictly optional and is only used to run upstream tests. Further, there are many examples of Debian JavaScript packages which have tests disabled. diff -Nru node-findit2-2.2.3/debian/changelog node-findit2-2.2.3/debian/changelog --- node-findit2-2.2.3/debian/changelog 2014-10-20 00:05:27.0 + +++ node-findit2-2.2.3/debian/changelog 2015-02-16 19:25:16.0 + @@ -1,3 +1,9 @@ +node-findit2 (2.2.3-2) unstable; urgency=medium + + * remove build dependency on buggy dependency: node-tap + + -- Andrew Kelley superjo...@gmail.com Mon, 16 Feb 2015 19:25:08 + + node-findit2 (2.2.3-1) unstable; urgency=medium * Initial release (Closes: #765772) diff -Nru node-findit2-2.2.3/debian/control node-findit2-2.2.3/debian/control --- node-findit2-2.2.3/debian/control 2014-10-20 00:03:35.0 + +++ node-findit2-2.2.3/debian/control 2015-02-16 19:23:44.0 + @@ -6,7 +6,6 @@ Build-Depends: debhelper (= 8) , dh-buildinfo - , node-tap , nodejs Standards-Version: 3.9.6 Homepage: https://github.com/andrewrk/node-findit diff -Nru node-findit2-2.2.3/debian/rules node-findit2-2.2.3/debian/rules --- node-findit2-2.2.3/debian/rules 2014-10-20 00:03:21.0 + +++ node-findit2-2.2.3/debian/rules 2015-02-16 19:24:00.0 + @@ -9,8 +9,6 @@ #override_dh_auto_build: -override_dh_auto_test: - tap test/*.js unblock node-findit2/2.2.3-1 -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] can you fix node-tap and I will ask for the unblock?
Hi, I have filed a bug for an unblock on the package: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778566 Please, double check if thats needed before doing so next time: $ apt-cache policy node-serve-static node-serve-static: Installé : (aucun) Candidat : 1.6.4-1 Table de version : 1.6.4-1 0 500 http://ftp.us.debian.org/debian/ jessie/main amd64 Packages 500 http://ftp.us.debian.org/debian/ sid/main amd64 Packages grep-excuses can help too. Regards David ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] can you fix node-tap and I will ask for the unblock?
Hi, I have filed a bug for an unblock on the package: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778566 Please, double check if thats needed before doing so next time: $ apt-cache policy node-serve-static node-serve-static: Installé : (aucun) Candidat : 1.6.4-1 I should have double check the version, sorry for the noise. node-serve-static/1.6.4-2 doesnt seem to have been uploaded, so maybe there is still something to fix. Regards David ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] can you fix node-tap and I will ask for the unblock?
Jérémy, Thank you for fixing node-serve-static. I have filed a bug for an unblock on the package: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778566 Could you do the same for node-tap? Perhaps even by deleting the failing test? Then I will file an unblock on node-tap. Regards, Andrew ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of node-tap_0.4.13-2_amd64.changes
node-tap_0.4.13-2_amd64.changes uploaded successfully to localhost along with the files: node-tap_0.4.13-2.dsc node-tap_0.4.13-2.debian.tar.xz node-tap_0.4.13-2_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of node-serve-static_1.6.4-2_amd64.changes
node-serve-static_1.6.4-2_amd64.changes uploaded successfully to localhost along with the files: node-serve-static_1.6.4-2.dsc node-serve-static_1.6.4-2.debian.tar.xz node-serve-static_1.6.4-2_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-findit2_2.2.3-2_amd64.changes REJECTED
node-findit2_2.2.3-2.dsc: Invalid size hash for node-findit2_2.2.3.orig.tar.gz: According to the control file the size hash should be 5445, but node-findit2_2.2.3.orig.tar.gz has 5622. If you did not include node-findit2_2.2.3.orig.tar.gz in you upload, a different version might already be known to the archive software. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#778576: unblock: node-tap/0.4.13-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package node-tap The bug that caused this package to be scheduled for autoremoval is fixed with this small patch which disables a single test. This does not affect the behavior of the package itself in any way. diff -Nru node-tap-0.4.13/debian/changelog node-tap-0.4.13/debian/changelog --- node-tap-0.4.13/debian/changelog2014-10-20 00:01:44.0 + +++ node-tap-0.4.13/debian/changelog2015-02-16 22:53:56.0 + @@ -1,3 +1,9 @@ +node-tap (0.4.13-2) unstable; urgency=medium + + * Patch fixing failing test FTBFS (Closes: #775627) + + -- Jérémy Lal kapo...@melix.org Mon, 16 Feb 2015 23:52:37 +0100 + node-tap (0.4.13-1) unstable; urgency=low * Initial release (Closes: #765988) diff -Nru node-tap-0.4.13/debian/patches/mitigate_test_segv.patch node-tap-0.4.13/debian/patches/mitigate_test_segv.patch --- node-tap-0.4.13/debian/patches/mitigate_test_segv.patch 1970-01-01 00:00:00.0 + +++ node-tap-0.4.13/debian/patches/mitigate_test_segv.patch 2015-02-16 22:53:00.0 + @@ -0,0 +1,30 @@ +Description: exit code of segv test depend on platform - do not check it + For reasons yet to be discovered, the assumption in segv test is wrong on + the platform used for https://bugs.debian.org/775627. +Last-Update: 2015-02-16 +Author: Jérémy Lal kapo...@melix.org +Forwarded: no, need more info +--- a/test/segv.js b/test/segv.js +@@ -37,9 +37,7 @@ + , { 'id': 1, + 'ok': false, + 'name': ' ././segv', +- 'exit': null, + 'timedOut': true, +- 'signal': process.platform === 'linux' ? 'SIGSEGV' : 'SIGTERM', + 'command': './segv' } + , 'tests 1' + , 'fail 1' ] +@@ -47,11 +45,6 @@ + tc.on('data', function (d) { + var e = expect.shift() + +-// specific signal can be either term or bus +-if (d.signal e.signal) +- e.signal = d.signal === SIGTERM || d.signal === SIGBUS ? +-d.signal : e.signal +- + t.same(d, e) + }) + tc.on('end', function () { diff -Nru node-tap-0.4.13/debian/patches/series node-tap-0.4.13/debian/patches/series --- node-tap-0.4.13/debian/patches/series 2014-10-20 00:01:40.0 + +++ node-tap-0.4.13/debian/patches/series 2015-02-16 22:53:00.0 + @@ -1,3 +1,4 @@ nodejs_rename.patch use_available_modules.patch sbuild_disable_tests.patch +mitigate_test_segv.patch unblock node-tap/0.4.13-2 -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-express is marked for autoremoval from testing
node-express 4.1.1~dfsg-1 is marked for autoremoval from testing on 2015-03-05 It (build-)depends on packages with these RC bugs: 775843: node-serve-static: CVE-2015-1164 ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-serve-static is marked for autoremoval from testing
node-serve-static 1.6.4-1 is marked for autoremoval from testing on 2015-03-05 It is affected by these RC bugs: 775843: node-serve-static: CVE-2015-1164 ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel