[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Support of lua-cgi

Ola Lundqvist <ola@inguza.com> writes:

> Hi fellow LTS members
> Today (as part of front desk work) I triaged lua-cgi and I thought that the
> session id vulnerabilities were rather basic and severe. So I thought that
> if it is a really used software it would have been found much earlier.
> Especially since the vulnerability have been there for some 6 years or so.
> So I checked popcorn and it is not really used much. I know we cannot trust
> popcorn that much but there were just some 80 installations reported in
> total.
> So I think we should probably mark lua-cgi as unsupported instead of fixing
> the vulnerabilities.

Somehow the discussion on this turned to private emails, which wasn't my

Anyway, the summary is I don't believe that lua-cgi in Debian is
vulnerable, because it is broken and cannot actually save sessions.

For details, see the bug report I filled:

I updated the bug report on the security issue, see:

I also created some upstream bug reports:

So I now intend to wait a bit and see if I get any responses. If not, I
will mark this security issue as "not vulnerable" in Debian, because it
is not possible to exploit as it is broken.
Brian May <bam@debian.org>

Reply to: