Source: passenger Severity: serious passenger-5.0.30/src/cxx_supportlib/vendor-copy: adhoc_lve.h libcurl libuv nghttp2 utf8 utf8.h
passenger-5.0.30/src/cxx_supportlib/vendor-modified: SmallVector.h jsoncpp modp_b64.cpp modp_b64_data.h boost libev modp_b64.h psg_sysqueue.h passenger-6.0.10/src/cxx_supportlib/vendor-copy: adhoc_lve.h libuv utf8 utf8.h websocketpp passenger-6.0.10/src/cxx_supportlib/vendor-modified: boost libev modp_b64.h modp_b64_strict_aliasing.cpp jsoncpp modp_b64.cpp modp_b64_data.h psg_sysqueue.h The problem is that these vendored copies seem to actually be used. Does for example CVE-2021-22918 in libuv1 need fixing in passenger? The security team is Cc'ed, and in a better position to suggest how this package should be handled. Related, passenger is in security-tracker/data/packages/removed-packages (it was renamed to ruby-passenger and then renamed back).
