Archives
Archives
| From: | "Paweł Hajdan |
|---|---|
| To: | gentoo-dev@l.g.o |
| Subject: | [gentoo-dev] removing vulnerable versions of dev-lang/v8 |
| Date: | Fri, 08 Nov 2013 05:22:44 |
| Message-Id: | 527C7517.3070409@gentoo.org |
| 1 | For some context of this please see |
| 2 | <http://thread.gmane.org/gmane.linux.gentoo.devel/88222> |
| 3 | |
| 4 | v8-3.20.17.7 fixes a memory corruption vulnerability, see |
| 5 | <http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html> |
| 6 | |
| 7 | However, we still have v8-3.19 and even 3.18 in portage - this is |
| 8 | probably an oversight when stabilizing new versions. |
| 9 | |
| 10 | Problem #1 is that sci-geosciences/osgearth-2.4 depends on |
| 11 | =dev-lang/v8-3.18.5.14 (see |
| 12 | <https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It |
| 13 | doesn't work with more recent v8, but it can be made to not depend on v8. |
| 14 | |
| 15 | Problem #2 is dev-db/drizzle having a v8 USE flag. The ebuild is |
| 16 | actually broken for other reasons, see |
| 17 | <https://bugs.gentoo.org/show_bug.cgi?id=490216>. I'd like that USE flag |
| 18 | to be removed and v8 to always be disabled in drizzle. |
| 19 | |
| 20 | With that I'd like to proceed with hard masking v8. I'm working with |
| 21 | upstream on better API stability, it seems to be working pretty well. |
| 22 | That's still a very long way to ABI stability, if at all possible. |
| 23 | |
| 24 | Please comment on possible solutions for removing known vulnerable v8 |
| 25 | versions from the tree. |
| 26 | |
| 27 | Paweł |
| File name | MIME type |
|---|---|
| signature.asc | application/pgp-signature |
| Subject | Author |
|---|---|
| Re: [gentoo-dev] removing vulnerable versions of dev-lang/v8 | Ian Stakenvicius <axs@g.o> |
| Re: [gentoo-dev] removing vulnerable versions of dev-lang/v8 | "Diego Elio Pettenò" <flameeyes@×××××××××.eu> |