Re: Support of lua-cgi

[Brian May <bam@debian.org>]

Ola Lundqvist <ola@inguza.com> writes:

> Hi fellow LTS members
>
> Today (as part of front desk work) I triaged lua-cgi and I thought that the
> session id vulnerabilities were rather basic and severe. So I thought that
> if it is a really used software it would have been found much earlier.
> Especially since the vulnerability have been there for some 6 years or so.
> So I checked popcorn and it is not really used much. I know we cannot trust
> popcorn that much but there were just some 80 installations reported in
> total.
>
> So I think we should probably mark lua-cgi as unsupported instead of fixing
> the vulnerabilities.

Somehow the discussion on this turned to private emails, which wasn't my
intention.

Anyway, the summary is I don't believe that lua-cgi in Debian is
vulnerable, because it is broken and cannot actually save sessions.

For details, see the bug report I filled:
http://bugs.debian.org/954300

I updated the bug report on the security issue, see:
http://bugs.debian.org/953037

I also created some upstream bug reports:
https://github.com/keplerproject/cgilua/issues/16
https://github.com/keplerproject/cgilua/issues/17

So I now intend to wait a bit and see if I get any responses. If not, I
will mark this security issue as "not vulnerable" in Debian, because it
is not possible to exploit as it is broken.
-- 
Brian May <bam@debian.org>