Your message dated Sun, 11 May 2025 06:56:36 +0000
with message-id
<nEt4UHJzkRrJLAPCjF-DAFgd9T6jMVwcZ1m2n67eNyeiHFsjouM61zHJK5UhsFqTdo6jONDXRE_QsQwKxyc8q90t-bBfZau9S_ZpSPXr-Bk=@proton.me>
and subject line Re: Bug#1104616: Info received (Backporting trixie mini-httpd)
has caused the Debian Bug report #1104616,
regarding mini-httpd: CGI scripts do not emit logs, please backport fix
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1104616: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104616
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mini-httpd
Version: 1.30-3
Severity: serious
Tags: security
Hello - mini-httpd as-built in bullseye and bookworm (package versions
1.30-2+b1 and 1.30-3) do not emit logs when CGI scripts are called.
This was fixed in bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516307
While great news, the change was only pushed to unstable/testing. Due to the
security implication of the bug (if an attacker accesses a vulnerable CGI
script, no evidence would be left, this is a vulnerability), I kindly request
if this patch can be backported to bookworm and bullseye as a security fix?
Due to the simplicity of the existing patch I was hoping this could be
backported to supported releases before the cutover to trixie. Thank you!
Regards
Lloyd
--- End Message ---
--- Begin Message ---
Version: 1.30-12
Workaround provided by maintainer. Thank you!
--- End Message ---
