NAK. I stopped the security audit as soon as I saw that qtjsbackend-opensource-src contains an embedded copy of the Google V8 Javascript engine (ie, libv8). The version that is embedded is 3.11.4 from last May. libv8 in the archive already has no one maintaining it and its older than what's in qtjsbackend-opensource-src, so switching to it wouldn't help (it has 13 open CVEs against it). There are currently 5 open CVEs against the version that is in qtjsbackend-opensource-src right now:
CVE-2012-5120
CVE-2012-5128
CVE-2012-5153
CVE-2013-0836
CVE-2013-2632
Furthermore, qtjsbackend-opensource-src's own README file has instructions on updating the embedded v8: "In the likely case of conflicts, follow the git instructions about continuing the patch application process after resolving the conflicts." This probably explains why libv8 hasn't been updated upstream. I also looked at fixes and they will require significant backporting.
Between the 5 open CVEs in qtjsbackend-opensource-src now, upstream's reluctance to keep it up to date, a lack of a suitable in archive alternative in libv8, the complexity of maintaining a Javascript engine without upstream support, and its security history, I believe qtjsbackend-opensource-src is unsupportable currently.
NAK. I stopped the security audit as soon as I saw that qtjsbackend- opensource- src contains an embedded copy of the Google V8 Javascript engine (ie, libv8). The version that is embedded is 3.11.4 from last May. libv8 in the archive already has no one maintaining it and its older than what's in qtjsbackend- opensource- src, so switching to it wouldn't help (it has 13 open CVEs against it). There are currently 5 open CVEs against the version that is in qtjsbackend- opensource- src right now:
CVE-2012-5120
CVE-2012-5128
CVE-2012-5153
CVE-2013-0836
CVE-2013-2632
Furthermore, qtjsbackend- opensource- src's own README file has instructions on updating the embedded v8: "In the likely case of conflicts, follow the git instructions about continuing the patch application process after resolving the conflicts." This probably explains why libv8 hasn't been updated upstream. I also looked at fixes and they will require significant backporting.
Between the 5 open CVEs in qtjsbackend- opensource- src now, upstream's reluctance to keep it up to date, a lack of a suitable in archive alternative in libv8, the complexity of maintaining a Javascript engine without upstream support, and its security history, I believe qtjsbackend- opensource- src is unsupportable currently.