Control: severity -1 important Hi, On Mon, Aug 23, 2021 at 03:00:16PM +0300, Adrian Bunk wrote: > Source: passenger > Severity: serious > > passenger-5.0.30/src/cxx_supportlib/vendor-copy: > adhoc_lve.h libcurl libuv nghttp2 utf8 utf8.h > > passenger-5.0.30/src/cxx_supportlib/vendor-modified: > SmallVector.h jsoncpp modp_b64.cpp modp_b64_data.h > boost libev modp_b64.h psg_sysqueue.h > > passenger-6.0.10/src/cxx_supportlib/vendor-copy: > adhoc_lve.h libuv utf8 utf8.h websocketpp > > passenger-6.0.10/src/cxx_supportlib/vendor-modified: > boost libev modp_b64.h modp_b64_strict_aliasing.cpp > jsoncpp modp_b64.cpp modp_b64_data.h psg_sysqueue.h > > > The problem is that these vendored copies seem to actually be used. > > Does for example CVE-2021-22918 in libuv1 need fixing in passenger? 6.0.13+ds-1 drops the embedded copies of both libuv and libev, who seem to be the most high-profile libraries; and it's now actually possible to build passenger against system-provided copies of those. There is still an embeded copy of boost, but that's modified from upstream boost in a way that the code does not build about system boost. Ideally we would want to drop all of the other embeded copies, but realistically that would involve a amount of work that is not available at the moment. Because this is still a relevant issue, but IMO not worth removing passenger because of it, I am downgrading this bug to important.
Description: PGP signature