On Mon, Mar 11, 2019 at 07:53:44PM +0100, Paul Gevers wrote: > Control: tags -1 moreinfo > > Hi Nicolas
Hi Paul, > On 11-03-2019 13:29, Nicolas Braud-Santoni wrote: > > Passenger has had an open, grave security bug open since December 2017 > > (#884463) > > and hasn't been uploaded to since August 2016. > > > > As far as I can tell, no other package will be adversely impacted by the > > removal. > > passenger ships libapache2-mod-passenger > puppet-master-passenger depends on libapache2-mod-passenger > puppet-master-passenger is build by puppet Indeed! I misread while checking, saw -passenger, thought that was a passenger package... Thanks for the correction! > DSA uses puppet to control our infrastructure I'm aware :) Generally, there are probably quite a few users of Puppet in Debian, it's a popular config management system. > I don't think we can remove passenger without work. How did you come to > the conclusion that no other packages are impacted? Is there no way to run the puppet master without passenger? If so, then we probably /have to/ fix Passenger for Buster. In that case I can package an up-to-date version to fix the security issue, but I'm not volunteering to maintain it permanently. Best, nicoo
signature.asc
Description: PGP signature
