lua-cgi - code is broken and cannot be exploited

As per bug #954300, the session.close function is broken. This means it
is not possible to save session data. This in turn means it there are no
concerns if the session id is made public because there is no sensitive
data associated with the session. So it doesn't matter if somebody
attempts to guess the session id because it doesn't reveal anything
useful.

This bug is trivial to resolve, however the fact that nobody is
complaining about this bug or trying to fix the bug would strongly
suggest that nobody is using session management with lua-cgi.

2 files changed, 3 insertions, 5 deletions

diff --git a/data/CVE/2014.list b/data/CVE/2014.list
index 9526615b5c..957d49fd15 100644
--- a/data/CVE/2014.list
+++ b/data/CVE/2014.list
@@ -19574,8 +19574,10 @@ CVE-2014-2877
 CVE-2014-2876
 	RESERVED
 CVE-2014-2875 (The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses wea ...)
-	- lua-cgi <unfixed> (bug #953037)
+	- lua-cgi <not-affected> (code is broken and cannot be exploited)
 	NOTE: https://github.com/keplerproject/cgilua/issues/17
+	NOTE: https://bugs.debian.org/953037
+	NOTE: https://bugs.debian.org/954300
 CVE-2014-XXXX [Insecure default permissions for ~/.virtualenvs and scripts]
 	- virtualenvwrapper 4.3-1 (low; bug #745580)
 	[wheezy] - virtualenvwrapper <no-dsa> (Minor issue)
diff --git a/data/dla-needed.txt b/data/dla-needed.txt
index e4557285c9..953eefd41e 100644
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -47,10 +47,6 @@ linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)
 --
-lua-cgi
-  NOTE: 20200227: The package do not seem to be used much, but the popcon data in this case
-  NOTE: 20200227: may not be entirely reliable. One possibility is to declare it unsupported. (Ola)
---
 mumble (Abhijith PA)
   NOTE:20200325: Regression in last upload, forgot to follow up.
   NOTE:20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)