- Package:
- src:passenger
- Source:
- passenger
- Submitter:
- Adrian Bunk
- Date:
- 2022-06-02 00:09:06 UTC
- Severity:
- important
passenger-5.0.30/src/cxx_supportlib/vendor-copy: adhoc_lve.h libcurl libuv nghttp2 utf8 utf8.h passenger-5.0.30/src/cxx_supportlib/vendor-modified: SmallVector.h jsoncpp modp_b64.cpp modp_b64_data.h boost libev modp_b64.h psg_sysqueue.h passenger-6.0.10/src/cxx_supportlib/vendor-copy: adhoc_lve.h libuv utf8 utf8.h websocketpp passenger-6.0.10/src/cxx_supportlib/vendor-modified: boost libev modp_b64.h modp_b64_strict_aliasing.cpp jsoncpp modp_b64.cpp modp_b64_data.h psg_sysqueue.h The problem is that these vendored copies seem to actually be used. Does for example CVE-2021-22918 in libuv1 need fixing in passenger? The security team is Cc'ed, and in a better position to suggest how this package should be handled. Related, passenger is in security-tracker/data/packages/removed-packages (it was renamed to ruby-passenger and then renamed back).
I am new to this list and would like to get involved, but I am a relative beginner in programming. I understand from looking at this CVE that it is triggered by a particular type of API call, which is probably unlikely in the wild, unless prior recon has been done and there is already a threat actor inside. The threat is less than six. I work in security and I have seen many environments where threats this low are not patched. If I would have time and would want to volunteer help, can someone instruct me how to get started? Thank you in advance. I apologize if I am making noise on the list, I just signed up. I thought QA would be an easy way to get started in the Debian community. Thanks. Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.
Debian has already issued a security advisory for this specific vulnerabily for the libuv1 package (and sent to the wrong list): https://www.debian.org/security/2021/dsa-4936 My bug report was about passenger having copies of libraries that might also be vulnerable to CVEs like for example this one. General information: https://www.debian.org/intro/help The debian-mentors mailing list would be a good starting point for helping other contributors with problems packaging and maintaining software in Debian. cu Adrian
Hi, 6.0.13+ds-1 drops the embedded copies of both libuv and libev, who seem to be the most high-profile libraries; and it's now actually possible to build passenger against system-provided copies of those. There is still an embeded copy of boost, but that's modified from upstream boost in a way that the code does not build about system boost. Ideally we would want to drop all of the other embeded copies, but realistically that would involve a amount of work that is not available at the moment. Because this is still a relevant issue, but IMO not worth removing passenger because of it, I am downgrading this bug to important.