Hi Adrian, On Tue, Apr 01, 2025 at 12:04:31AM +0300, Adrian Bunk wrote: > On Mon, Mar 31, 2025 at 10:12:03PM +0200, Salvatore Bonaccorso wrote: > >... > > On Mon, Mar 31, 2025 at 04:58:15PM +0300, Adrian Bunk wrote: > > > Package: libbson-xs-perl > > > Version: 0.8.4-3 > > > Severity: serious > > > Tags: security > > > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > > > > > https://metacpan.org/dist/BSON-XS > > > > > > Changes for version v0.8.4 - 2020-08-13 > > > !!! END OF LIFE NOTICE !!! > > > As of August 13, 2020, the BSON-XS library has reached end of > > > life and is no longer supported by MongoDB. > > > > > > > > > The security aspect of this bug is that some/all of the bson CVEs > > > against mongo-c-driver might also apply to the copy of the bson code > > > in libbson-xs-perl. > > > > > > An alternative solution for the latter might be patching the source to > > > build with libbson-dev. > > > > "Ideally" the removal would be the right choice gien the > > deprecation/end-of-life, but I fear that is not possible at this stage > > in the freeze. libmongodb-perl has AFAICS a depends on libbson-xs-perl > > Recommends, as performance optimization compared to the pure-Perl > libbson-perl.
Yes right, thanks for spotting and the correction. > The build dependency is !nocheck, and the tests pass for me without > libbson-xs-perl. > > > and libmongodb-perl has some reverse dependencies. > > libmongodb-perl and libbson-perl are also EOL, but AFAIK removing > just libbson-xs-perl would only have a performance impact for rdeps. > > > gregor, yadd, any opinions from you here? So might indeed be more feasible. Regards, Salvatore
