From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id F32BC138247 for ; Fri, 8 Nov 2013 05:22:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9A87FE0ABC; Fri, 8 Nov 2013 05:22:39 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AE03EE0A9F for ; Fri, 8 Nov 2013 05:22:38 +0000 (UTC) Received: from phjr-macbookpro.local (adsl-75-37-11-91.dsl.pltn13.sbcglobal.net [75.37.11.91]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: phajdan.jr) by smtp.gentoo.org (Postfix) with ESMTPSA id C7FD533F17B for ; Fri, 8 Nov 2013 05:22:37 +0000 (UTC) Message-ID: <527C7517.3070409@gentoo.org> Date: Thu, 07 Nov 2013 21:22:31 -0800 From: =?UTF-8?B?IlBhd2XFgiBIYWpkYW4sIEpyLiI=?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] removing vulnerable versions of dev-lang/v8 X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FvL2lbEaTa46U41xRjARoKh4APs8eLJqN" X-Archives-Salt: 30f6298a-f20e-4c5c-8e2a-ce4dd637e3d6 X-Archives-Hash: d6231f135d8723b530705599e6673fda This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --FvL2lbEaTa46U41xRjARoKh4APs8eLJqN Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable For some context of this please see v8-3.20.17.7 fixes a memory corruption vulnerability, see However, we still have v8-3.19 and even 3.18 in portage - this is probably an oversight when stabilizing new versions. Problem #1 is that sci-geosciences/osgearth-2.4 depends on =3Ddev-lang/v8-3.18.5.14 (see for context). It doesn't work with more recent v8, but it can be made to not depend on v8.= Problem #2 is dev-db/drizzle having a v8 USE flag. The ebuild is actually broken for other reasons, see . I'd like that USE fla= g to be removed and v8 to always be disabled in drizzle. With that I'd like to proceed with hard masking v8. I'm working with upstream on better API stability, it seems to be working pretty well. That's still a very long way to ABI stability, if at all possible. Please comment on possible solutions for removing known vulnerable v8 versions from the tree. Pawe=C5=82 --FvL2lbEaTa46U41xRjARoKh4APs8eLJqN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iEYEARECAAYFAlJ8dRsACgkQuUQtlDBCeQLrLQCfaBaKxrgc+JQ9i6tWilXZD3bG qRsAn15ZnNcrEJrhH/0K7xPpEAAEWGhW =y8e8 -----END PGP SIGNATURE----- --FvL2lbEaTa46U41xRjARoKh4APs8eLJqN--