From: | "Paweł Hajdan |
---|---|
To: | gentoo-dev@l.g.o |
Subject: | [gentoo-dev] removing vulnerable versions of dev-lang/v8 |
Date: | Fri, 08 Nov 2013 05:22:44 |
Message-Id: | 527C7517.3070409@gentoo.org |
1 | For some context of this please see |
2 | <http://thread.gmane.org/gmane.linux.gentoo.devel/88222> |
3 | |
4 | v8-3.20.17.7 fixes a memory corruption vulnerability, see |
5 | <http://googlechromereleases.blogspot.com/2013/10/stable-channel-update.html> |
6 | |
7 | However, we still have v8-3.19 and even 3.18 in portage - this is |
8 | probably an oversight when stabilizing new versions. |
9 | |
10 | Problem #1 is that sci-geosciences/osgearth-2.4 depends on |
11 | =dev-lang/v8-3.18.5.14 (see |
12 | <https://bugs.gentoo.org/show_bug.cgi?id=484786> for context). It |
13 | doesn't work with more recent v8, but it can be made to not depend on v8. |
14 | |
15 | Problem #2 is dev-db/drizzle having a v8 USE flag. The ebuild is |
16 | actually broken for other reasons, see |
17 | <https://bugs.gentoo.org/show_bug.cgi?id=490216>. I'd like that USE flag |
18 | to be removed and v8 to always be disabled in drizzle. |
19 | |
20 | With that I'd like to proceed with hard masking v8. I'm working with |
21 | upstream on better API stability, it seems to be working pretty well. |
22 | That's still a very long way to ABI stability, if at all possible. |
23 | |
24 | Please comment on possible solutions for removing known vulnerable v8 |
25 | versions from the tree. |
26 | |
27 | Paweł |
File name | MIME type |
---|---|
signature.asc | application/pgp-signature |
Subject | Author |
---|---|
Re: [gentoo-dev] removing vulnerable versions of dev-lang/v8 | Ian Stakenvicius <axs@g.o> |
Re: [gentoo-dev] removing vulnerable versions of dev-lang/v8 | "Diego Elio Pettenò" <flameeyes@×××××××××.eu> |