Re: Mark boa unsupported ?
Hi,
On Fri, 30 Jun 2017, Hugo Lefeuvre wrote:
> I just had a look at boa, which is affected by CVE-2017-9833.
>
> IMHO, I do not think it's worth taking time for this completely
> outdated, single-tasking, potentially dangerous webserver. It hasn't
> seen an update for 12+ years (last rc 2005?), doesn't support SSL,
> access authentication, etc.
>
> Does anybody know whether our sponsors have interest in boa ?
You can check this yourself in our private git repository:
$ grep ^boa packages-to-support
$
So the answer is no.
> Otherwise I think we should declare it unsupported.
I think that we don't need to do that because the CVE seems to be entirely
bogus:
the boa source package doesn't contain any "wapopen" cgi-script, the
report is probably about a badly written CGI script running in a camera
that runs boa.
I don't know who filed this CVE but it has likely been misfiled (putting
cve@mitre.org in copy due to this).
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: