[DRE-maint] Bug#992786: passenger uses many vendored libraries
Antonio Terceiro
terceiro at debian.org
Thu Jun 2 01:05:26 BST 2022
Control: severity -1 important
Hi,
On Mon, Aug 23, 2021 at 03:00:16PM +0300, Adrian Bunk wrote:
> Source: passenger
> Severity: serious
>
> passenger-5.0.30/src/cxx_supportlib/vendor-copy:
> adhoc_lve.h libcurl libuv nghttp2 utf8 utf8.h
>
> passenger-5.0.30/src/cxx_supportlib/vendor-modified:
> SmallVector.h jsoncpp modp_b64.cpp modp_b64_data.h
> boost libev modp_b64.h psg_sysqueue.h
>
> passenger-6.0.10/src/cxx_supportlib/vendor-copy:
> adhoc_lve.h libuv utf8 utf8.h websocketpp
>
> passenger-6.0.10/src/cxx_supportlib/vendor-modified:
> boost libev modp_b64.h modp_b64_strict_aliasing.cpp
> jsoncpp modp_b64.cpp modp_b64_data.h psg_sysqueue.h
>
>
> The problem is that these vendored copies seem to actually be used.
>
> Does for example CVE-2021-22918 in libuv1 need fixing in passenger?
6.0.13+ds-1 drops the embedded copies of both libuv and libev, who seem
to be the most high-profile libraries; and it's now actually possible to
build passenger against system-provided copies of those.
There is still an embeded copy of boost, but that's modified from
upstream boost in a way that the code does not build about system boost.
Ideally we would want to drop all of the other embeded copies, but
realistically that would involve a amount of work that is not available
at the moment.
Because this is still a relevant issue, but IMO not worth removing
passenger because of it, I am downgrading this bug to important.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20220601/2d42f209/attachment.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list