On Tue, Mar 03, 2020 at 05:43:13PM +0100, Sylvain Beucler wrote: > The following vulnerability was published for lua-cgi. > > CVE-2014-2875[0]: > | The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses > | weak session IDs generated based on OS time, which allows remote > | attackers to hijack arbitrary sessions via a brute force attack. NOTE: > | CVE-2014-10300 and CVE-2014-10400 were SPLIT from this ID.
To me it looks like the session management in the Debian package is completely broken, and as such has no actual security issue here. See: http://bugs.debian.org/954300 - this also includes a reference to the upstream fix which will fix the breakage and expose the security issue here. Regardless, I created an upstream bug, see: https://github.com/keplerproject/cgilua/issues/17 -- Brian May <b...@debian.org>
