Hi, I see your mail wrong, so here is a forward with the correct mail.
~Niels -------- Forwarded Message -------- Subject: Re: Bug#778348: release-notes: document security status for libv8/nodejs in jessie Date: Mon, 16 Feb 2015 09:11:33 +0100 From: Niels Thykier <[email protected]> To: Michael Gilbert <[email protected]>, [email protected], [email protected] CC: [email protected] Control: tags -1 pending On 2015-02-13 22:35, Michael Gilbert wrote: > package: release-notes > severity: important > tags: security > x-debbugs-cc: [email protected] > > Information was added about this problem to the libv8 package [0], but > it would be useful to state something in the release notes also. > Please see draft attached. > > Best wishes, > Mike > > [0] http://bugs.debian.org/775715 > Hi, I have attached Michael's patch (with Stephan's typo fixes) and included a few minor changes on top of this. The result is attached as 0001-en-issues-Document-lack-of-security-support-for-Node.patch. Review/remarks welcome. Thanks, ~Niels
>From b4a2d1c275bf871705d53b4861c1dd26f568f2c8 Mon Sep 17 00:00:00 2001 From: nthykier <nthykier@313b444b-1b9f-4f58-a734-7bb04f332e8d> Date: Mon, 16 Feb 2015 08:07:01 +0000 Subject: [PATCH 1/2] en/issues: Document lack of security support for Node.js Includes typo fixes, mark-up changes and minor word changes from Stephan Beck <[email protected]> and nthykier. Closes: #778348 Written-by: Michael Gilbert <[email protected]> Signed-off-by: Niels Thykier <[email protected]> git-svn-id: svn+ssh://svn.debian.org/svn/ddp/manuals/trunk/release-notes@10634 313b444b-1b9f-4f58-a734-7bb04f332e8d --- en/issues.dbk | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/en/issues.dbk b/en/issues.dbk index 51a144f..8b232f5 100644 --- a/en/issues.dbk +++ b/en/issues.dbk @@ -45,6 +45,28 @@ role="package">debian-security-support</systemitem>, introduced in packages.</para> </section> +<section id="libv8"> +<title>Lack of security support for the ecosystem around libv8 and Node.js</title> +<para> + The Node.js platform is built on top of libv8, which receives a + high volume of security issues but there are currently no + volunteers within the project or the security team sufficiently + interested and willing to spend the large amount of time required + to stem those incoming issues. +</para> +<para> + Unfortunately, this means that <systemitem + role="package">libv8</systemitem>, <systemitem + role="package">nodejs</systemitem>, and the associated node-* + package ecosystem should not currently be used with untrusted + content, for example unsanitized data from the internet. +</para> +<para> + In addition, these packages will not receive any security updates + during the lifetime of the jessie release. +</para> +</section> + <section id="openssh"> <title>OpenSSH server defaults to "PermitRootLogin without-password"</title> <!-- Wheezy to Jessie --> -- 2.1.4
