Re: Mark boa unsupported ?

To: Hugo Lefeuvre <hle@debian.org>
Cc: debian-lts@lists.debian.org, cve@mitre.org
Subject: Re: Mark boa unsupported ?
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 30 Jun 2017 15:04:40 +0200
Message-id: <[🔎] 20170630130440.fuawzl3sqh3mftp4@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Hugo Lefeuvre <hle@debian.org>, debian-lts@lists.debian.org, cve@mitre.org
In-reply-to: <[🔎] 20170630094939.ijxhse3ofq5sghis@hle-laptop.local>
References: <[🔎] 20170630094939.ijxhse3ofq5sghis@hle-laptop.local>

Hi,

On Fri, 30 Jun 2017, Hugo Lefeuvre wrote:
> I just had a look at boa, which is affected by CVE-2017-9833.
> 
> IMHO, I do not think it's worth taking time for this completely
> outdated, single-tasking, potentially dangerous webserver. It hasn't
> seen an update for 12+ years (last rc 2005?), doesn't support SSL,
> access authentication, etc.
> 
> Does anybody know whether our sponsors have interest in boa ?

You can check this yourself in our private git repository:
$ grep ^boa packages-to-support 
$ 

So the answer is no.

> Otherwise I think we should declare it unsupported.

I think that we don't need to do that because the CVE seems to be entirely
bogus:
the boa source package doesn't contain any "wapopen" cgi-script, the
report is probably about a badly written CGI script running in a camera
that runs boa.

I don't know who filed this CVE but it has likely been misfiled (putting
cve@mitre.org in copy due to this).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Reply to:

References:
- Mark boa unsupported ?
  - From: Hugo Lefeuvre <hle@debian.org>

Prev by Date: avoid friday deployments?
Next by Date: Re: avoid friday deployments?
Previous by thread: Mark boa unsupported ?
Next by thread: avoid friday deployments?
Index(es):
- Date
- Thread