I am new to this list and would like to get involved, but I am a relative beginner in programming. I understand from looking at this CVE that it is triggered by a particular type of API call, which is probably unlikely in the wild, unless prior recon has been done and there is already a threat actor inside. The threat is less than six. I work in security and I have seen many environments where threats this low are not patched. If I would have time and would want to volunteer help, can someone instruct me how to get started? Thank you in advance. I apologize if I am making noise on the list, I just signed up. I thought QA would be an easy way to get started in the Debian community. Thanks.
Michael Lazin .. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι. On Mon, Aug 23, 2021 at 8:03 AM Adrian Bunk <b...@debian.org> wrote: > Source: passenger > Severity: serious > > passenger-5.0.30/src/cxx_supportlib/vendor-copy: > adhoc_lve.h libcurl libuv nghttp2 utf8 utf8.h > > passenger-5.0.30/src/cxx_supportlib/vendor-modified: > SmallVector.h jsoncpp modp_b64.cpp modp_b64_data.h > boost libev modp_b64.h psg_sysqueue.h > > passenger-6.0.10/src/cxx_supportlib/vendor-copy: > adhoc_lve.h libuv utf8 utf8.h websocketpp > > passenger-6.0.10/src/cxx_supportlib/vendor-modified: > boost libev modp_b64.h modp_b64_strict_aliasing.cpp > jsoncpp modp_b64.cpp modp_b64_data.h psg_sysqueue.h > > > The problem is that these vendored copies seem to actually be used. > > Does for example CVE-2021-22918 in libuv1 need fixing in passenger? > > The security team is Cc'ed, and in a better position to suggest > how this package should be handled. > > Related, passenger is in security-tracker/data/packages/removed-packages > (it was renamed to ruby-passenger and then renamed back). > >
