Re: Support of lua-cgi
Ola Lundqvist <firstname.lastname@example.org> writes:
> Hi fellow LTS members
> Today (as part of front desk work) I triaged lua-cgi and I thought that the
> session id vulnerabilities were rather basic and severe. So I thought that
> if it is a really used software it would have been found much earlier.
> Especially since the vulnerability have been there for some 6 years or so.
> So I checked popcorn and it is not really used much. I know we cannot trust
> popcorn that much but there were just some 80 installations reported in
> So I think we should probably mark lua-cgi as unsupported instead of fixing
> the vulnerabilities.
Somehow the discussion on this turned to private emails, which wasn't my
Anyway, the summary is I don't believe that lua-cgi in Debian is
vulnerable, because it is broken and cannot actually save sessions.
For details, see the bug report I filled:
I updated the bug report on the security issue, see:
I also created some upstream bug reports:
So I now intend to wait a bit and see if I get any responses. If not, I
will mark this security issue as "not vulnerable" in Debian, because it
is not possible to exploit as it is broken.
Brian May <email@example.com>