Bug#1101756: Should libbson-xs-perl be shipped in trixie?
Salvatore Bonaccorso
carnil at debian.org
Mon Mar 31 21:12:03 BST 2025
Hi,
On Mon, Mar 31, 2025 at 04:58:15PM +0300, Adrian Bunk wrote:
> Package: libbson-xs-perl
> Version: 0.8.4-3
> Severity: serious
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
>
> https://metacpan.org/dist/BSON-XS
>
> Changes for version v0.8.4 - 2020-08-13
> !!! END OF LIFE NOTICE !!!
> As of August 13, 2020, the BSON-XS library has reached end of life and is no longer supported by MongoDB.
>
>
> The security aspect of this bug is that some/all of the bson CVEs
> against mongo-c-driver might also apply to the copy of the bson code
> in libbson-xs-perl.
>
> An alternative solution for the latter might be patching the source to
> build with libbson-dev.
"Ideally" the removal would be the right choice gien the
deprecation/end-of-life, but I fear that is not possible at this stage
in the freeze. libmongodb-perl has AFAICS a depends on libbson-xs-perl
and libmongodb-perl has some reverse dependencies.
gregor, yadd, any opinions from you here?
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list