[Pkg-javascript-devel] Bug#760385: Fix for CVE-2014-5256
Balint Reczey
balint at balintreczey.hu
Sat Dec 20 18:43:38 UTC 2014
Hi Mike,
On Sat, 20 Dec 2014 05:06:47 -0500 Michael Gilbert <mgilbert at debian.org>
wrote:
> On Sat, Dec 20, 2014 at 4:59 AM, Balint Reczey wrote:
> > Hi Mike,
> >
> > On Fri, 19 Dec 2014 21:11:10 -0500 Michael Gilbert
> > wrote:
> >> control: severity -1 important
> >>
> >> There is no security support for libv8 in jessie, so security issues aren't RC.
> > Could you please add some links to explain that?
> > I was about to fix this issue in an NMU after double-checking the fix.
>
> Severity doesn't say anything about whether or not a bugs can be
> fixed, so you can still do that. Anyway it was decided recently on
I beg to disagree here. According to freeze policy [1] only targeted
fixes for RC bugs are considered to be accepted without pre-approval to
testing now. Fixes to unstable which won't be accepted to testing are
also discouraged during the freeze.
Those implies that decreasing the severity _does_ affect if a bug should
be fixed.
Please restore the severity of this bug since it is about security flaw
and let the Release Team decide if they want to see a vulnerable libv8
in Jessie.
BTW the fix seems to be trivial and since I'm in the JavaScript team I
can actually fix it in a normal maintainer upload.
> the security team ml.
Please provide a link to a public resource to let others understand the
reasoning.
Thanks,
Balint
[1] https://release.debian.org/jessie/freeze_policy.html
More information about the Pkg-javascript-devel
mailing list