[DRE-maint] Bug#992786: passenger uses many vendored libraries
Michael Lazin
microlaser at gmail.com
Mon Aug 23 13:18:42 BST 2021
I am new to this list and would like to get involved, but I am a relative
beginner in programming. I understand from looking at this CVE that it is
triggered by a particular type of API call, which is probably unlikely in
the wild, unless prior recon has been done and there is already a threat
actor inside. The threat is less than six. I work in security and I have
seen many environments where threats this low are not patched. If I would
have time and would want to volunteer help, can someone instruct me how to
get started? Thank you in advance. I apologize if I am making noise on the
list, I just signed up. I thought QA would be an easy way to get started
in the Debian community. Thanks.
Michael Lazin
.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.
On Mon, Aug 23, 2021 at 8:03 AM Adrian Bunk <bunk at debian.org> wrote:
> Source: passenger
> Severity: serious
>
> passenger-5.0.30/src/cxx_supportlib/vendor-copy:
> adhoc_lve.h libcurl libuv nghttp2 utf8 utf8.h
>
> passenger-5.0.30/src/cxx_supportlib/vendor-modified:
> SmallVector.h jsoncpp modp_b64.cpp modp_b64_data.h
> boost libev modp_b64.h psg_sysqueue.h
>
> passenger-6.0.10/src/cxx_supportlib/vendor-copy:
> adhoc_lve.h libuv utf8 utf8.h websocketpp
>
> passenger-6.0.10/src/cxx_supportlib/vendor-modified:
> boost libev modp_b64.h modp_b64_strict_aliasing.cpp
> jsoncpp modp_b64.cpp modp_b64_data.h psg_sysqueue.h
>
>
> The problem is that these vendored copies seem to actually be used.
>
> Does for example CVE-2021-22918 in libuv1 need fixing in passenger?
>
> The security team is Cc'ed, and in a better position to suggest
> how this package should be handled.
>
> Related, passenger is in security-tracker/data/packages/removed-packages
> (it was renamed to ruby-passenger and then renamed back).
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20210823/04ba65c5/attachment.htm>
More information about the Pkg-ruby-extras-maintainers
mailing list