From 10c8c53f890a29bcb892bc2cdbd3d25f0c69e754 Mon Sep 17 00:00:00 2001 From: Brian May Date: Wed, 1 Apr 2020 07:17:16 +1100 Subject: lua-cgi - code is broken and cannot be exploited As per bug #954300, the session.close function is broken. This means it is not possible to save session data. This in turn means it there are no concerns if the session id is made public because there is no sensitive data associated with the session. So it doesn't matter if somebody attempts to guess the session id because it doesn't reveal anything useful. This bug is trivial to resolve, however the fact that nobody is complaining about this bug or trying to fix the bug would strongly suggest that nobody is using session management with lua-cgi. --- data/CVE/2014.list | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'data/CVE/2014.list') diff --git a/data/CVE/2014.list b/data/CVE/2014.list index 9526615b5c..957d49fd15 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -19574,8 +19574,10 @@ CVE-2014-2877 CVE-2014-2876 RESERVED CVE-2014-2875 (The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses wea ...) - - lua-cgi (bug #953037) + - lua-cgi (code is broken and cannot be exploited) NOTE: https://github.com/keplerproject/cgilua/issues/17 + NOTE: https://bugs.debian.org/953037 + NOTE: https://bugs.debian.org/954300 CVE-2014-XXXX [Insecure default permissions for ~/.virtualenvs and scripts] - virtualenvwrapper 4.3-1 (low; bug #745580) [wheezy] - virtualenvwrapper (Minor issue) -- cgit v1.2.3