[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#992786: passenger uses many vendored libraries

Source: passenger
Severity: serious

adhoc_lve.h  libcurl  libuv  nghttp2  utf8  utf8.h

SmallVector.h  jsoncpp  modp_b64.cpp  modp_b64_data.h
boost          libev    modp_b64.h    psg_sysqueue.h

adhoc_lve.h  libuv  utf8  utf8.h  websocketpp

boost    libev         modp_b64.h       modp_b64_strict_aliasing.cpp
jsoncpp  modp_b64.cpp  modp_b64_data.h  psg_sysqueue.h

The problem is that these vendored copies seem to actually be used.

Does for example CVE-2021-22918 in libuv1 need fixing in passenger?

The security team is Cc'ed, and in a better position to suggest
how this package should be handled.

Related, passenger is in security-tracker/data/packages/removed-packages
(it was renamed to ruby-passenger and then renamed back).

Reply to: