[DRE-maint] Bug#992786: passenger uses many vendored libraries
Adrian Bunk
bunk at debian.org
Mon Aug 23 13:00:16 BST 2021
Source: passenger
Severity: serious
passenger-5.0.30/src/cxx_supportlib/vendor-copy:
adhoc_lve.h libcurl libuv nghttp2 utf8 utf8.h
passenger-5.0.30/src/cxx_supportlib/vendor-modified:
SmallVector.h jsoncpp modp_b64.cpp modp_b64_data.h
boost libev modp_b64.h psg_sysqueue.h
passenger-6.0.10/src/cxx_supportlib/vendor-copy:
adhoc_lve.h libuv utf8 utf8.h websocketpp
passenger-6.0.10/src/cxx_supportlib/vendor-modified:
boost libev modp_b64.h modp_b64_strict_aliasing.cpp
jsoncpp modp_b64.cpp modp_b64_data.h psg_sysqueue.h
The problem is that these vendored copies seem to actually be used.
Does for example CVE-2021-22918 in libuv1 need fixing in passenger?
The security team is Cc'ed, and in a better position to suggest
how this package should be handled.
Related, passenger is in security-tracker/data/packages/removed-packages
(it was renamed to ruby-passenger and then renamed back).
More information about the Pkg-ruby-extras-maintainers
mailing list