Bug#953037: marked as done (lua-cgi: CVE-2014-2875)

To: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Subject: Bug#953037: marked as done (lua-cgi: CVE-2014-2875)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 18 Nov 2025 10:21:10 +0000
Message-id: <[🔎] handler.953037.D953037.17634612383368899.ackdone@bugs.debian.org>
Reply-to: 953037@bugs.debian.org
References: <[🔎] E1vLIp9-004cSe-2a@fasolo.debian.org> <9b30556b-339e-014c-9cc3-27fa7198e117@beuc.net>

Your message dated Tue, 18 Nov 2025 10:20:35 +0000
with message-id <[🔎] E1vLIp9-004cSe-2a@fasolo.debian.org>
and subject line Bug#1119723: Removed package(s) from unstable
has caused the Debian Bug report #953037,
regarding lua-cgi: CVE-2014-2875
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
953037: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953037
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: lua-cgi: CVE-2014-2875
From: Sylvain Beucler <beuc@beuc.net>
Date: Tue, 3 Mar 2020 17:43:13 +0100
Message-id: <9b30556b-339e-014c-9cc3-27fa7198e117@beuc.net>

Package: lua-cgi
Severity: important
Tags: security upstream
Control: found -1 5.2~alpha2-1

Hi,

The following vulnerability was published for lua-cgi.

CVE-2014-2875[0]:
| The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses
| weak session IDs generated based on OS time, which allows remote
| attackers to hijack arbitrary sessions via a brute force attack. NOTE:
| CVE-2014-10300 and CVE-2014-10400 were SPLIT from this ID.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-2875
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2875

Please adjust the affected versions in the BTS as needed.

Cheers!
Sylvain Beucler
Debian LTS Team

--- End Message ---

--- Begin Message ---

To: 953037-done@bugs.debian.org,954300-done@bugs.debian.org,995503-done@bugs.debian.org,
Cc: lua-cgi@packages.debian.org
Subject: Bug#1119723: Removed package(s) from unstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Tue, 18 Nov 2025 10:20:35 +0000
Message-id: <[🔎] E1vLIp9-004cSe-2a@fasolo.debian.org>

Version: 6.0.2-2+rm

Dear submitter,

as the package lua-cgi has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1119723

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)

--- End Message ---

Reply to:

References:
- Bug#1119723: Removed package(s) from unstable
  - From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Prev by Date: Bug#1120855: (No Subject)
Next by Date: Bug#954300: marked as done (lua-cgi: session closing broken on lua5.1)
Previous by thread: Bug#1119723: Removed package(s) from unstable
Next by thread: Bug#954300: marked as done (lua-cgi: session closing broken on lua5.1)
Index(es):
- Date
- Thread