[Pkg-nginx-maintainers] Bug#1050186: Bug#1050186: libnginx-mod-http-lua: depends on obsolete pcre3 library
Thomas Ward
teward at thomas-ward.net
Mon Aug 21 17:55:49 BST 2023
All:
See the Lua NGINX module issue here in upstream:
https://github.com/openresty/lua-nginx-module/issues/1984
This has been an open issue since December 2021, and there has *NOT*
been massive movement yet upstream towards PCRE2 support.
The last info on that bug from July 13th indicates that there are no
major updates and that a MAJOR update would be needed in Open Resty
(1.21.4 has been Open Resty's version for eons) in order for PCRE2
support to really make it, despite nginx core moving to PCRE2.
Given this situation, and the fact this is still not being moved on
Upstream, this may be a case where we have to decide whether to actually
*keep* Lua module around at all, especially if we consider PCRE3
obsolete and a security flaw. (In which case, this should be also
tagged as a Security bug).
Thomas
On 8/21/23 11:24, Bastian Germann wrote:
> Source: libnginx-mod-http-lua
> Severity: serious
> Version: 1:0.10.25-1
> User: matthew-pcredep at debian.org
> Usertags: obsolete-pcre3
>
> Dear maintainer,
>
> When the pcre3 -> pcre2 mass bug was filed, this package was left out.
> I am filing this (edited copy) after the fact:
>
> Your package still depends on the old, obsolete PCRE3 libraries
> (i.e. libpcre3-dev). This has been end of life for a while now, and
> upstream do not intend to fix any further bugs in it. Accordingly, we
> would like to remove the pcre3 libraries from Debian.
>
> The newer PCRE2 library was first released in 2015, and has been in
> Debian since stretch. Upstream's documentation for PCRE2 is available
> here: https://pcre.org/current/doc/html/
>
> Many large projects that use PCRE have made the switch now (e.g. git,
> php); it does involve some work, but we are now at the stage where
> PCRE3 should not be used, particularly if it might ever be exposed to
> untrusted input.
>
> This mass bug filing was discussed on debian-devel@ in
> https://lists.debian.org/debian-devel/2021/11/msg00176.html
>
> Thanks,
> Bastian
>
> _______________________________________________
> Pkg-nginx-maintainers mailing list
> Pkg-nginx-maintainers at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-nginx-maintainers
>
More information about the Pkg-nginx-maintainers
mailing list