For some context of this please see
<http://thread.gmane.org/gmane.linux.gentoo.devel/88222>

v8-3.20.17.7 fixes a memory corruption vulnerability, see
<http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html>

However, we still have v8-3.19 and even 3.18 in portage - this is
probably an oversight when stabilizing new versions.

Problem #1 is that sci-geosciences/osgearth-2.4 depends on
=dev-lang/v8-3.18.5.14 (see
<https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It
doesn't work with more recent v8, but it can be made to not depend on v8.

Problem #2 is dev-db/drizzle having a v8 USE flag. The ebuild is
actually broken for other reasons, see
<https://bugs.gentoo.org/show_bug.cgi?id=490216>. I'd like that USE flag
to be removed and v8 to always be disabled in drizzle.

With that I'd like to proceed with hard masking v8. I'm working with
upstream on better API stability, it seems to be working pretty well.
That's still a very long way to ABI stability, if at all possible.

Please comment on possible solutions for removing known vulnerable v8
versions from the tree.

Paweł

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to