diff options
author | Brian May <brian@linuxpenguins.xyz> | 2020-04-01 07:17:16 +1100 |
---|---|---|
committer | Brian May <brian@linuxpenguins.xyz> | 2020-04-01 07:34:56 +1100 |
commit | 10c8c53f890a29bcb892bc2cdbd3d25f0c69e754 (patch) | |
tree | b1df71355f39183a155d2d41dd892c428b0b9fb9 /data | |
parent | 3b1daa193bc95ff45777ce16eba78bb2c11e8b2d (diff) |
lua-cgi - code is broken and cannot be exploited
As per bug #954300, the session.close function is broken. This means it
is not possible to save session data. This in turn means it there are no
concerns if the session id is made public because there is no sensitive
data associated with the session. So it doesn't matter if somebody
attempts to guess the session id because it doesn't reveal anything
useful.
This bug is trivial to resolve, however the fact that nobody is
complaining about this bug or trying to fix the bug would strongly
suggest that nobody is using session management with lua-cgi.
Diffstat (limited to 'data')
-rw-r--r-- | data/CVE/2014.list | 4 | ||||
-rw-r--r-- | data/dla-needed.txt | 4 |
2 files changed, 3 insertions, 5 deletions
diff --git a/data/CVE/2014.list b/data/CVE/2014.list index 9526615b5c..957d49fd15 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -19574,8 +19574,10 @@ CVE-2014-2877 CVE-2014-2876 RESERVED CVE-2014-2875 (The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses wea ...) - - lua-cgi <unfixed> (bug #953037) + - lua-cgi <not-affected> (code is broken and cannot be exploited) NOTE: https://github.com/keplerproject/cgilua/issues/17 + NOTE: https://bugs.debian.org/953037 + NOTE: https://bugs.debian.org/954300 CVE-2014-XXXX [Insecure default permissions for ~/.virtualenvs and scripts] - virtualenvwrapper 4.3-1 (low; bug #745580) [wheezy] - virtualenvwrapper <no-dsa> (Minor issue) diff --git a/data/dla-needed.txt b/data/dla-needed.txt index e4557285c9..953eefd41e 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -47,10 +47,6 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -lua-cgi - NOTE: 20200227: The package do not seem to be used much, but the popcon data in this case - NOTE: 20200227: may not be entirely reliable. One possibility is to declare it unsupported. (Ola) --- mumble (Abhijith PA) NOTE:20200325: Regression in last upload, forgot to follow up. NOTE:20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith) |