Bug#1050186: [Pkg-nginx-maintainers] Bug#1050186: libnginx-mod-http-lua: depends on obsolete pcre3 library

Mon, 21 Aug 2023 09:57:14 -0700 

All:
See the Lua NGINX module issue here in upstream: https://github.com/openresty/lua-nginx-module/issues/1984 


This has been an open issue since December 2021, and there has *NOT* 
been massive movement yet upstream towards PCRE2 support.



The last info on that bug from July 13th indicates that there are no 
major updates and that a MAJOR update would be needed in Open Resty 
(1.21.4 has been Open Resty's version for eons) in order for PCRE2 
support to really make it, despite nginx core moving to PCRE2.



Given this situation, and the fact this is still not being moved on 
Upstream, this may be a case where we have to decide whether to actually 
*keep* Lua module around at all, especially if we consider PCRE3 
obsolete and a security flaw.  (In which case, this should be also 
tagged as a Security bug).



Thomas



On 8/21/23 11:24, Bastian Germann wrote:

Source: libnginx-mod-http-lua
Severity: serious
Version: 1:0.10.25-1
User: matthew-pcre...@debian.org
Usertags: obsolete-pcre3

Dear maintainer,

When the pcre3 -> pcre2 mass bug was filed, this package was left out.
I am filing this (edited copy) after the fact:

Your package still depends on the old, obsolete PCRE3 libraries
(i.e. libpcre3-dev). This has been end of life for a while now, and
upstream do not intend to fix any further bugs in it. Accordingly, we
would like to remove the pcre3 libraries from Debian.

The newer PCRE2 library was first released in 2015, and has been in
Debian since stretch. Upstream's documentation for PCRE2 is available
here: https://pcre.org/current/doc/html/

Many large projects that use PCRE have made the switch now (e.g. git,
php); it does involve some work, but we are now at the stage where
PCRE3 should not be used, particularly if it might ever be exposed to
untrusted input.

This mass bug filing was discussed on debian-devel@ in
https://lists.debian.org/debian-devel/2021/11/msg00176.html

Thanks,
Bastian

_______________________________________________
Pkg-nginx-maintainers mailing list
pkg-nginx-maintain...@alioth-lists.debian.net

https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-nginx-maintainers 

























					Reply via email to