[DRE-maint] Bug#992786: passenger uses many vendored libraries

Adrian Bunk bunk at debian.org
Mon Aug 23 13:00:16 BST 2021


Source: passenger
Severity: serious

passenger-5.0.30/src/cxx_supportlib/vendor-copy:
adhoc_lve.h  libcurl  libuv  nghttp2  utf8  utf8.h

passenger-5.0.30/src/cxx_supportlib/vendor-modified:
SmallVector.h  jsoncpp  modp_b64.cpp  modp_b64_data.h
boost          libev    modp_b64.h    psg_sysqueue.h

passenger-6.0.10/src/cxx_supportlib/vendor-copy:
adhoc_lve.h  libuv  utf8  utf8.h  websocketpp

passenger-6.0.10/src/cxx_supportlib/vendor-modified:
boost    libev         modp_b64.h       modp_b64_strict_aliasing.cpp
jsoncpp  modp_b64.cpp  modp_b64_data.h  psg_sysqueue.h


The problem is that these vendored copies seem to actually be used.

Does for example CVE-2021-22918 in libuv1 need fixing in passenger?

The security team is Cc'ed, and in a better position to suggest
how this package should be handled.

Related, passenger is in security-tracker/data/packages/removed-packages
(it was renamed to ruby-passenger and then renamed back).



More information about the Pkg-ruby-extras-maintainers mailing list