Your message dated Wed, 20 Mar 2019 19:11:58 +0100
with message-id <20190320181158.GA20199@eldamar.local>
and subject line Re: Bug#924309: RM: passenger/5.0.30-1
has caused the Debian Bug report #924309,
regarding RM: passenger/5.0.30-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
924309: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924309
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: rm
Control: user bugsqu...@qa.debian.org
Control: usertags 884463 + ni...@debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear release team,
Passenger has had an open, grave security bug open since December 2017 (#884463)
and hasn't been uploaded to since August 2016.
As far as I can tell, no other package will be adversely impacted by the
removal.
Best,
nicoo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAlyGVKURHG5pY29vQGRl
Ymlhbi5vcmcACgkQ5vmO4pLV7MusqxAAicturFQ9JFffny4RcRQZqvYZJfSDWFNY
YQnCzq61CxU250FtopAYSHtMODFywP1Zacxrscay2ZxKeX9Wt0mFymVpaRVLrnLn
Yp07/A2sPRX6xBHdHAxiyv/flA/p7zlkr1WHslj8B1CO3mODtnh6ipPCqEW8Ok8v
+gujHhaHauxaYsKwIoBAANFZRFKhPGHt87hQWUiIa9JRAZ4N2K59FiwMF3teJbaS
FrKkDEmO9X5wlCm/Nc95Tl+Bb+RWueKF+umazYHbjl5MkXA6Gx1FewcpSe9gG03h
CifeBEc52AWJj9t2Ooonz21+NFyNcCnT7neP9ZesSX2TmydsDzCZ9LYhAt8FWrlR
nzIv9YF+6GR5X9Lk/sD0QpZ7abQF7zX8MA0x0IGWUd1uC0XtEoVHdrcnVNsE82tz
LSD7/DAAw4MMts5BEaYOFfMt+O+xsRvKCsuhnzN3WWY40ZhyvGlQcL6ru/FDU6ae
G/7vC43hbW3p/G2fa+vvFqhmCkByhphfWYgF5JMH4Sgc3x8M1P9tDW3E6BkP0Erv
hoonowHNWLJfQqSbDFpaDXJ94JNpg4I5k4sZX8TcAr/Nzmlwu7F4aArssS0UGAMv
lkCe3f2+p9Pd0k/qoYn5Ic9BbMWUT1ZsDC0DidTC6VN7L2AwfDn4XSyZU8FB/E+R
LdY7LIewwHo=
=0eoy
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Hi,
On Tue, Mar 12, 2019 at 12:31:30AM +0100, Nicolas Braud-Santoni wrote:
> On Mon, Mar 11, 2019 at 07:53:44PM +0100, Paul Gevers wrote:
> > Control: tags -1 moreinfo
> >
> > Hi Nicolas
>
> Hi Paul,
>
> > On 11-03-2019 13:29, Nicolas Braud-Santoni wrote:
> > > Passenger has had an open, grave security bug open since December 2017
> > > (#884463)
> > > and hasn't been uploaded to since August 2016.
> > >
> > > As far as I can tell, no other package will be adversely impacted by the
> > > removal.
> >
> > passenger ships libapache2-mod-passenger
> > puppet-master-passenger depends on libapache2-mod-passenger
> > puppet-master-passenger is build by puppet
>
> Indeed! I misread while checking, saw -passenger, thought that was a passenger
> package...
>
> Thanks for the correction!
>
>
> > DSA uses puppet to control our infrastructure
>
> I'm aware :)
>
> Generally, there are probably quite a few users of Puppet in Debian,
> it's a popular config management system.
>
>
> > I don't think we can remove passenger without work. How did you come to
> > the conclusion that no other packages are impacted?
>
> Is there no way to run the puppet master without passenger?
>
> If so, then we probably /have to/ fix Passenger for Buster. In that case I can
> package an up-to-date version to fix the security issue, but I'm not
> volunteering to maintain it permanently.
This issue can be closed. I adressed in a NMU #884463, CVE-2017-16355,
the arbitrary file read via REVISION symlink issue.
It needs an unblock to enter testing/buster still.
passenger has not seen an update since the stretch release apart that,
so I think this needs a solution after the buster release.
Regards,
Salvatore
--- End Message ---
