Fedora has issued an advisory on December 11: http://lists.fedoraproject.org/pipermail/package-announce/2012-December/095191.html Mageia 2 is also affected. These are fixed upstream in 3.13.7.5.
Blocks: (none) => 6927
Whiteboard: (none) => MGA2TOO
CC: (none) => dmorganec
CC: (none) => cjw
CC: (none) => shikamaru
OpenSuSE has issued an advisory today (February 5): http://lists.opensuse.org/opensuse-updates/2013-02/msg00007.html It says more security issues are fixed upstream in 3.16.4.0. from http://lwn.net/Vulnerabilities/536251/
CC: (none) => fundawang
CC: (none) => shlomif
CC: (none) => alexander
Other than chromium, this is only used by nodejs. Can we update this?
Currently, our chromium-browser-unstable does not use system v8, so only nodejs is affected now. I've put package into updates/testing. If all goes well, I'll request them to be put into release. As for mga2, let's wait after cauldron release landed.
Status: NEW => ASSIGNED
Thanks Funda! Quick question: did you mean to build the nodejs you just built in updates_testing? It was built in release, but won't it not build against the v8 in updates_testing in that case?
Yes, I need to update nodejs to 0.9.9 to have it built.
Assignee: dmorganec => fundawang
I think chromium-browser-unstable is using system v8 now. Where are we at with this? When will this be fixed?
no we still use bundle v8, this was to much work to use system one ( rediff huge patch each time, etc )
i can look this bugreport if funda doesn't. as he did a big part this shouldn't be long
Fedora has issued an advisory on December 18: http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101470.html This adds three more CVEs. It sounds like CVE-2012-5153 and CVE-2013-0836 are fixed upstream in 3.14.5.8 and CVE-2013-2632 was fixed with an additional patch. from http://lwn.net/Vulnerabilities/546497/
Summary: v8 new security issues CVE-2012-5120 and CVE-2012-5128 => v8 new security issues CVE-2012-5120, CVE-2012-5128, CVE-2012-5153, CVE-2013-0836, CVE-2013-2632
If nodejs is the only thing using this, maybe we should just drop this package from Cauldron and let nodejs use its bundled copy, as Fedora apparently is. They also updated nodejs for these latest vulerabilities: http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101468.html
CC: (none) => mageia
Sysadmins, now that nothing depends on this package in Cauldron, please remove all files associated with the v8 SRPM in Cauldron. Thanks.
CC: (none) => sysadmin-bugs
(In reply to David Walser from comment #11) > Sysadmins, now that nothing depends on this package in Cauldron, please > remove all files associated with the v8 SRPM in Cauldron. Thanks. dropped from cauldron.
CC: (none) => tmb
OK, this is no longer an issue in Cauldron. Damien, for Mageia 2, can we safely update nodejs to take care of these issues there?
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
Assignee: fundawang => mageia
new nodejs package in core/updates_testing: nodejs-0.8.23-1.mga2 [root@maximus ~]# node -e 'console.log(process.versions.v8);' 3.11.10.25 [root@maximus ~]# FYI: - 0.8.x is stable release (last update: Tue, 09 Apr 2013) - 0.9.x is unstable release - 0.10.x is stable release for 3 (v8: 3.14.5.8) - 0.11.x is unstable If ok, I will ask for an update request to QA. I tested the package: "works for me".
Thanks Damien. Looking at the nodejs ChangeLog: https://raw.github.com/joyent/node/v0.10.5/ChangeLog I see that nodejs 0.8.x updated to v8 3.11.10.25 on 2012-10-25, but all of these security issues have come out since then. I suppose it's possible they don't affect nodejs 3.11.x (the other distros' issued updates were for 3.13.x, 3.14.x, and 3.16.x), but the only one of the issues I could find links to upstream patches for is the last one, CVE-2013-2632, and those upstream patches apply to the bundled v8 3.11.10.25. Here's where that one was reported upstream to nodejs: https://github.com/joyent/node/issues/5113 Granted that nodejs 0.8.23 came out on 2013-03-07, so they might be aware of these issues (although maybe not the ones from the last update in Comment 9) and have determined they're not exploitable through v8. Would it be possible to check this with upstream? I can see those v8 CVE-2013-2632 commits are in nodejs 0.10.3, which came out 2013-04-03 (and the upstream bug says they were committed on 2013-03-23). Maybe there are more fixes in nodejs 0.8.x SVN for these newer security issues? Maybe it's not maintained anymore? I'd feel a lot more confident that all of these issues are actually fixed in nodejs 0.10.3. Is there a reason we can't use that version in Mageia 2?
Here's some links for the CVEs if you need them: https://bugzilla.novell.com/show_bug.cgi?id=797599 https://bugzilla.redhat.com/show_bug.cgi?id=874840 https://bugzilla.redhat.com/show_bug.cgi?id=896266 https://bugzilla.redhat.com/show_bug.cgi?id=896272 https://bugzilla.redhat.com/show_bug.cgi?id=924495
(In reply to David Walser from comment #15) > Thanks Damien. > > Looking at the nodejs ChangeLog: > https://raw.github.com/joyent/node/v0.10.5/ChangeLog > > I see that nodejs 0.8.x updated to v8 3.11.10.25 on 2012-10-25, but all of > these security issues have come out since then. I suppose it's possible > they don't affect nodejs 3.11.x (the other distros' issued updates were for > 3.13.x, 3.14.x, and 3.16.x), but the only one of the issues I could find > links to upstream patches for is the last one, CVE-2013-2632, and those > upstream patches apply to the bundled v8 3.11.10.25. Here's where that one > was reported upstream to nodejs: > https://github.com/joyent/node/issues/5113 Ok, I see... Let me check if 0.10.2 is working as expected in 2 to be safe with this issue. > Granted that nodejs 0.8.23 came out on 2013-03-07, so they might be aware of > these issues (although maybe not the ones from the last update in Comment 9) > and have determined they're not exploitable through v8. Would it be > possible to check this with upstream? http://blog.nodejs.org/2013/04/08/node-v0-8-23-legacy/ Tue, 09 Apr 2013 for 0.8.23 > I can see those v8 CVE-2013-2632 commits are in nodejs 0.10.3, which came > out 2013-04-03 (and the upstream bug says they were committed on > 2013-03-23). Maybe there are more fixes in nodejs 0.8.x SVN for these newer > security issues? Maybe it's not maintained anymore? The stable release is now 0.10.x. 0.8.x is just having maintenance if needed... > I'd feel a lot more confident that all of these issues are actually fixed in > nodejs 0.10.3. Is there a reason we can't use that version in Mageia 2? No, my idea was just to have latest nodejs for latest Mageia and having legacy nodejs for our previous distro. As said before, let me check how 0.10.x is working on 2 and I will update this bug report. Thanks for the help!
We can't have nodejs 0.10.x in 2 as openssl needs to be in 1.0.1 (1.0.0 for now).
I tar'd up the deps/v8 from the nodejs 0.10.3 tarball, and in the Mageia 2 spec, I did rm -rf deps/v8 and extracted it there, and the nodejs 0.8.23 package built just fine with it. I didn't test to see if it actually works (I don't know how to do that), but maybe that could be an option.
It's a crappy option, isn't it? :-) I would rather not to change source package.
(In reply to Damien Lallement from comment #20) > It's a crappy option, isn't it? :-) > I would rather not to change source package. It's not crappy if it works. Adding patches is changing the source too.
Damien, I see you pushed nodejs-0.8.25-1.mga2 to updates_testing. I'm OK with pushing that as an update and closing this bug, if you want to do that.
(In reply to David Walser from comment #22) > Damien, I see you pushed nodejs-0.8.25-1.mga2 to updates_testing. I'm OK > with pushing that as an update and closing this bug, if you want to do that. Ok David. WIP! :-)
FYI: https://twitter.com/damsweb/status/349883394135568384 I will assign a bug about nodejs 0.8.25 to QA tomorrow.
Depends on: (none) => 10691
Now that the nodejs update has been pushed, no packages in the distribution are using the system v8 library. If anyone else is using that library with their own stuff, they'll have to make arrangements to use a newer version of the library. Closing as WONTFIX.
Status: ASSIGNED => RESOLVEDResolution: (none) => WONTFIX