Bug#1101756: Should libbson-xs-perl be shipped in trixie?
Yadd
yadd at debian.org
Tue Apr 1 06:15:13 BST 2025
On 3/31/25 22:12, Salvatore Bonaccorso wrote:
> Hi,
>
> On Mon, Mar 31, 2025 at 04:58:15PM +0300, Adrian Bunk wrote:
>> Package: libbson-xs-perl
>> Version: 0.8.4-3
>> Severity: serious
>> Tags: security
>> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
>>
>> https://metacpan.org/dist/BSON-XS
>>
>> Changes for version v0.8.4 - 2020-08-13
>> !!! END OF LIFE NOTICE !!!
>> As of August 13, 2020, the BSON-XS library has reached end of life and is no longer supported by MongoDB.
>>
>>
>> The security aspect of this bug is that some/all of the bson CVEs
>> against mongo-c-driver might also apply to the copy of the bson code
>> in libbson-xs-perl.
>>
>> An alternative solution for the latter might be patching the source to
>> build with libbson-dev.
>
> "Ideally" the removal would be the right choice gien the
> deprecation/end-of-life, but I fear that is not possible at this stage
> in the freeze. libmongodb-perl has AFAICS a depends on libbson-xs-perl
> and libmongodb-perl has some reverse dependencies.
>
> gregor, yadd, any opinions from you here?
>
> Regards,
> Salvatore
Hi,
we can remove BSON::XS from libmongodb-perl dependencies, it will
affects only performances. I tested the build, it works.
Best regards,
Xavier
More information about the pkg-perl-maintainers
mailing list