Hi, On Fri, 30 Jun 2017, Hugo Lefeuvre wrote: > I just had a look at boa, which is affected by CVE-2017-9833. > > IMHO, I do not think it's worth taking time for this completely > outdated, single-tasking, potentially dangerous webserver. It hasn't > seen an update for 12+ years (last rc 2005?), doesn't support SSL, > access authentication, etc. > > Does anybody know whether our sponsors have interest in boa ?
You can check this yourself in our private git repository: $ grep ^boa packages-to-support $ So the answer is no. > Otherwise I think we should declare it unsupported. I think that we don't need to do that because the CVE seems to be entirely bogus: the boa source package doesn't contain any "wapopen" cgi-script, the report is probably about a badly written CGI script running in a camera that runs boa. I don't know who filed this CVE but it has likely been misfiled (putting c...@mitre.org in copy due to this). Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
