Hi, On Tue, Mar 12, 2019 at 12:31:30AM +0100, Nicolas Braud-Santoni wrote: > On Mon, Mar 11, 2019 at 07:53:44PM +0100, Paul Gevers wrote: > > Control: tags -1 moreinfo > > > > Hi Nicolas > > Hi Paul, > > > On 11-03-2019 13:29, Nicolas Braud-Santoni wrote: > > > Passenger has had an open, grave security bug open since December 2017 > > > (#884463) > > > and hasn't been uploaded to since August 2016. > > > > > > As far as I can tell, no other package will be adversely impacted by the > > > removal. > > > > passenger ships libapache2-mod-passenger > > puppet-master-passenger depends on libapache2-mod-passenger > > puppet-master-passenger is build by puppet > > Indeed! I misread while checking, saw -passenger, thought that was a passenger > package... > > Thanks for the correction! > > > > DSA uses puppet to control our infrastructure > > I'm aware :) > > Generally, there are probably quite a few users of Puppet in Debian, > it's a popular config management system. > > > > I don't think we can remove passenger without work. How did you come to > > the conclusion that no other packages are impacted? > > Is there no way to run the puppet master without passenger? > > If so, then we probably /have to/ fix Passenger for Buster. In that case I can > package an up-to-date version to fix the security issue, but I'm not > volunteering to maintain it permanently.
This issue can be closed. I adressed in a NMU #884463, CVE-2017-16355, the arbitrary file read via REVISION symlink issue. It needs an unblock to enter testing/buster still. passenger has not seen an update since the stretch release apart that, so I think this needs a solution after the buster release. Regards, Salvatore
