For some context of this please see <http://thread.gmane.org/gmane.linux.gentoo.devel/88222>
v8-3.20.17.7 fixes a memory corruption vulnerability, see <http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html> However, we still have v8-3.19 and even 3.18 in portage - this is probably an oversight when stabilizing new versions. Problem #1 is that sci-geosciences/osgearth-2.4 depends on =dev-lang/v8-3.18.5.14 (see <https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It doesn't work with more recent v8, but it can be made to not depend on v8. Problem #2 is dev-db/drizzle having a v8 USE flag. The ebuild is actually broken for other reasons, see <https://bugs.gentoo.org/show_bug.cgi?id=490216>. I'd like that USE flag to be removed and v8 to always be disabled in drizzle. With that I'd like to proceed with hard masking v8. I'm working with upstream on better API stability, it seems to be working pretty well. That's still a very long way to ABI stability, if at all possible. Please comment on possible solutions for removing known vulnerable v8 versions from the tree. Paweł
signature.asc
Description: OpenPGP digital signature