[Pkg-javascript-devel] Bug#760385: Fix for CVE-2014-5256
Jean Baptiste Favre
jbfavre at jbfavre.org
Sat Nov 15 20:42:42 UTC 2014
I meant "I'm *not* sure I'll be able to deal with lib8-3.14
Sorry,
Jean Baptiste
On 15/11/2014 21:28, Jean Baptiste Favre wrote:
> Hello Thomas,
> Thanks for your update.
>
> I decided to have a look on this bug because it seemed quite easy to fix
> it: upstream patch was available and small anough for me.
> Unfortunatly, I'm sure I'll be able to deal with lib8-3.14. The more I
> dig into, the less I understand (more or less) :)
>
> I'll try anyway,
> Regards,
> Jean Baptiste
>
> On 15/11/2014 20:44, Thomas Viehmann wrote:
>> Hi Jean Baptiste,
>>
>> thank you for looking into this.
>> Note that the changelog entries for nodejs 0.10.31 and .32 include
>> v8: backport CVE-2013-6668
>> v8: fix a crash introduced by previous release
>> If libv8 in Debian is affected by those, you might also consider also
>> backporting those fixes when preparing a new v8 package.
>>
>> (Elsewhere in NodeJS .33 there is "crypto: Disable autonegotiation for
>> SSLv2/3 by default", not sure whether the release team would let
>> something like that through.)
>>
>> Best regards
>>
>> Thomas
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20141115/8465a757/attachment-0001.sig>
More information about the Pkg-javascript-devel
mailing list