Ola Lundqvist <o...@inguza.com> writes: > Hi fellow LTS members > > Today (as part of front desk work) I triaged lua-cgi and I thought that the > session id vulnerabilities were rather basic and severe. So I thought that > if it is a really used software it would have been found much earlier. > Especially since the vulnerability have been there for some 6 years or so. > So I checked popcorn and it is not really used much. I know we cannot trust > popcorn that much but there were just some 80 installations reported in > total. > > So I think we should probably mark lua-cgi as unsupported instead of fixing > the vulnerabilities.
Somehow the discussion on this turned to private emails, which wasn't my intention. Anyway, the summary is I don't believe that lua-cgi in Debian is vulnerable, because it is broken and cannot actually save sessions. For details, see the bug report I filled: http://bugs.debian.org/954300 I updated the bug report on the security issue, see: http://bugs.debian.org/953037 I also created some upstream bug reports: https://github.com/keplerproject/cgilua/issues/16 https://github.com/keplerproject/cgilua/issues/17 So I now intend to wait a bit and see if I get any responses. If not, I will mark this security issue as "not vulnerable" in Debian, because it is not possible to exploit as it is broken. -- Brian May <b...@debian.org>
