<div dir="ltr"><div>I am new to this list and would like to get involved, but I am a relative beginner in programming. I understand from looking at this CVE that it is triggered by a particular type of API call, which is probably unlikely in the wild, unless prior recon has been done and there is already a threat actor inside. The threat is less than six. I work in security and I have seen many environments where threats this low are not patched. If I would have time and would want to volunteer help, can someone instruct me how to get started? Thank you in advance. I apologize if I am making noise on the list, I just signed up. I thought QA would be an easy way to get started in the Debian community. Thanks.</div><div><br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Michael Lazin<br><span style="font-size:16.6px;font-family:serif"></span><div><br></div><div><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif">.. </span><span style="font-size:16.6px;font-family:serif">τὸ </span><span style="font-size:16.6px;font-family:serif">γὰρ</span><span style="font-size:16.6px;font-family:serif"> αὐτὸ </span><span style="font-size:16.6px;font-family:serif">νοεῖν </span><span style="font-size:16.6px;font-family:serif">ἐστίν </span><span style="font-size:16.6px;font-family:serif">τε </span><span style="font-size:16.6px;font-family:serif">καὶ </span><span style="font-size:16.6px;font-family:serif">εἶναι</span><span style="font-size:16.6px;font-family:serif">.</span></div><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span><span style="font-size:16.6px;font-family:serif"></span></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Aug 23, 2021 at 8:03 AM Adrian Bunk <<a href="mailto:bunk@debian.org">bunk@debian.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Source: passenger<br>
Severity: serious<br>
<br>
passenger-5.0.30/src/cxx_supportlib/vendor-copy:<br>
adhoc_lve.h libcurl libuv nghttp2 utf8 utf8.h<br>
<br>
passenger-5.0.30/src/cxx_supportlib/vendor-modified:<br>
SmallVector.h jsoncpp modp_b64.cpp modp_b64_data.h<br>
boost libev modp_b64.h psg_sysqueue.h<br>
<br>
passenger-6.0.10/src/cxx_supportlib/vendor-copy:<br>
adhoc_lve.h libuv utf8 utf8.h websocketpp<br>
<br>
passenger-6.0.10/src/cxx_supportlib/vendor-modified:<br>
boost libev modp_b64.h modp_b64_strict_aliasing.cpp<br>
jsoncpp modp_b64.cpp modp_b64_data.h psg_sysqueue.h<br>
<br>
<br>
The problem is that these vendored copies seem to actually be used.<br>
<br>
Does for example CVE-2021-22918 in libuv1 need fixing in passenger?<br>
<br>
The security team is Cc'ed, and in a better position to suggest<br>
how this package should be handled.<br>
<br>
Related, passenger is in security-tracker/data/packages/removed-packages<br>
(it was renamed to ruby-passenger and then renamed back).<br>
<br>
</blockquote></div>