Hi,

On Fri, 30 Jun 2017, Hugo Lefeuvre wrote:
> I just had a look at boa, which is affected by CVE-2017-9833.
> 
> IMHO, I do not think it's worth taking time for this completely
> outdated, single-tasking, potentially dangerous webserver. It hasn't
> seen an update for 12+ years (last rc 2005?), doesn't support SSL,
> access authentication, etc.
> 
> Does anybody know whether our sponsors have interest in boa ?

You can check this yourself in our private git repository:
$ grep ^boa packages-to-support 
$ 

So the answer is no.

> Otherwise I think we should declare it unsupported.

I think that we don't need to do that because the CVE seems to be entirely
bogus:
the boa source package doesn't contain any "wapopen" cgi-script, the
report is probably about a badly written CGI script running in a camera
that runs boa.

I don't know who filed this CVE but it has likely been misfiled (putting
c...@mitre.org in copy due to this).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Reply via email to