On Tue, Feb 27, 2018 at 02:14:02PM +0000, Simon McVittie wrote: >... > Also, the security team specifically don't provide security > support for libv8, which apparently extends to node-* packages like > <https://security-tracker.debian.org/tracker/CVE-2015-8855>, so it's > hard to see how tolerating embedded code copies of nodejs modules in > particular would make their security support situation a whole lot worse: > it's already the case that the upstream and downstream maintainers of > these modules (or the applications that bundle them, or both) provide > the only security maintenance they'll get. In practice, this isn't as > awful as it first appears, because nodejs modules are often very small, > so an individual nodejs module is relatively unlikely to contain security > vulnerabilities even if its defect density is high, simply because there > isn't very much code to be vulnerable. >...
https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#libv8 "Unfortunately, this means that libv8-3.14, nodejs, and the associated node-* package ecosystem should not currently be used with untrusted content, such as unsanitized data from the Internet." IMHO any package in Debian stable that uses a node* package on untrusted content should get an RC bug and a CVE - it is clearly documented that this should not be done. > Regards, > smcv >... cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
