[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#992786: passenger uses many vendored libraries

Control: severity -1 important


On Mon, Aug 23, 2021 at 03:00:16PM +0300, Adrian Bunk wrote:
> Source: passenger
> Severity: serious
> passenger-5.0.30/src/cxx_supportlib/vendor-copy:
> adhoc_lve.h  libcurl  libuv  nghttp2  utf8  utf8.h
> passenger-5.0.30/src/cxx_supportlib/vendor-modified:
> SmallVector.h  jsoncpp  modp_b64.cpp  modp_b64_data.h
> boost          libev    modp_b64.h    psg_sysqueue.h
> passenger-6.0.10/src/cxx_supportlib/vendor-copy:
> adhoc_lve.h  libuv  utf8  utf8.h  websocketpp
> passenger-6.0.10/src/cxx_supportlib/vendor-modified:
> boost    libev         modp_b64.h       modp_b64_strict_aliasing.cpp
> jsoncpp  modp_b64.cpp  modp_b64_data.h  psg_sysqueue.h
> The problem is that these vendored copies seem to actually be used.
> Does for example CVE-2021-22918 in libuv1 need fixing in passenger?

6.0.13+ds-1 drops the embedded copies of both libuv and libev, who seem
to be the most high-profile libraries; and it's now actually possible to
build passenger against system-provided copies of those.

There is still an embeded copy of boost, but that's modified from
upstream boost in a way that the code does not build about system boost.

Ideally we would want to drop all of the other embeded copies, but
realistically that would involve a amount of work that is not available
at the moment.

Because this is still a relevant issue, but IMO not worth removing
passenger because of it, I am downgrading this bug to important.

Attachment: signature.asc
Description: PGP signature

Reply to: