Bug#924309: RM: passenger/5.0.30-1
Hi,
On Tue, Mar 12, 2019 at 12:31:30AM +0100, Nicolas Braud-Santoni wrote:
> On Mon, Mar 11, 2019 at 07:53:44PM +0100, Paul Gevers wrote:
> > Control: tags -1 moreinfo
> >
> > Hi Nicolas
>
> Hi Paul,
>
> > On 11-03-2019 13:29, Nicolas Braud-Santoni wrote:
> > > Passenger has had an open, grave security bug open since December 2017 (#884463)
> > > and hasn't been uploaded to since August 2016.
> > >
> > > As far as I can tell, no other package will be adversely impacted by the
> > > removal.
> >
> > passenger ships libapache2-mod-passenger
> > puppet-master-passenger depends on libapache2-mod-passenger
> > puppet-master-passenger is build by puppet
>
> Indeed! I misread while checking, saw -passenger, thought that was a passenger
> package...
>
> Thanks for the correction!
>
>
> > DSA uses puppet to control our infrastructure
>
> I'm aware :)
>
> Generally, there are probably quite a few users of Puppet in Debian,
> it's a popular config management system.
>
>
> > I don't think we can remove passenger without work. How did you come to
> > the conclusion that no other packages are impacted?
>
> Is there no way to run the puppet master without passenger?
>
> If so, then we probably /have to/ fix Passenger for Buster. In that case I can
> package an up-to-date version to fix the security issue, but I'm not
> volunteering to maintain it permanently.
This issue can be closed. I adressed in a NMU #884463, CVE-2017-16355,
the arbitrary file read via REVISION symlink issue.
It needs an unblock to enter testing/buster still.
passenger has not seen an update since the stretch release apart that,
so I think this needs a solution after the buster release.
Regards,
Salvatore
Reply to: