package: release-notes severity: important tags: security x-debbugs-cc: [email protected]
Information was added about this problem to the libv8 package [0], but it would be useful to state something in the release notes also. Please see draft attached. Best wishes, Mike [0] http://bugs.debian.org/775715
--- en/issues.dbk (revision 10629) +++ en/issues.dbk (working copy) @@ -45,6 +45,26 @@ packages.</para> </section> +<section id="libv8"> +<title>Lack of security support for the ecosystem around libv8 and nodejs</title> +<para> + nodejs is built on top of libv8, which recieves a high volume of + security issues but there are currently no volunteers within the + project or the security team sufficiently interested and willing + to spend the large amount of time required to stem those incoming + issues. +</para> +<para> + Unfortunately, this means that libv8, nodejs, and the associated + node-* package ecosystem should not currently be used with + untrusted content, for example unsanitized data from the internet. +</para> +<para> + In addition, these packages will not recieve any security updates + during the lifetime of the jessie release. +</para> +</section> + <section id="openssh"> <title>OpenSSH server defaults to "PermitRootLogin without-password"</title> <!-- Wheezy to Jessie -->
