Bug#1101756: Should libbson-xs-perl be shipped in trixie?
Salvatore Bonaccorso
carnil at debian.org
Thu Apr 3 22:52:36 BST 2025
Hi,
On Tue, Apr 01, 2025 at 07:15:13AM +0200, Yadd wrote:
> On 3/31/25 22:12, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > On Mon, Mar 31, 2025 at 04:58:15PM +0300, Adrian Bunk wrote:
> > > Package: libbson-xs-perl
> > > Version: 0.8.4-3
> > > Severity: serious
> > > Tags: security
> > > X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
> > >
> > > https://metacpan.org/dist/BSON-XS
> > >
> > > Changes for version v0.8.4 - 2020-08-13
> > > !!! END OF LIFE NOTICE !!!
> > > As of August 13, 2020, the BSON-XS library has reached end of life and is no longer supported by MongoDB.
> > >
> > >
> > > The security aspect of this bug is that some/all of the bson CVEs
> > > against mongo-c-driver might also apply to the copy of the bson code
> > > in libbson-xs-perl.
> > >
> > > An alternative solution for the latter might be patching the source to
> > > build with libbson-dev.
> >
> > "Ideally" the removal would be the right choice gien the
> > deprecation/end-of-life, but I fear that is not possible at this stage
> > in the freeze. libmongodb-perl has AFAICS a depends on libbson-xs-perl
> > and libmongodb-perl has some reverse dependencies.
> >
> > gregor, yadd, any opinions from you here?
> >
> > Regards,
> > Salvatore
>
> Hi,
>
> we can remove BSON::XS from libmongodb-perl dependencies, it will affects
> only performances. I tested the build, it works.
I have filled #1102011 for that.
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list