Package: mini-httpd Version: 1.30-3 Severity: serious Tags: security Hello - mini-httpd as-built in bullseye and bookworm (package versions 1.30-2+b1 and 1.30-3) do not emit logs when CGI scripts are called.
This was fixed in bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516307 While great news, the change was only pushed to unstable/testing. Due to the security implication of the bug (if an attacker accesses a vulnerable CGI script, no evidence would be left, this is a vulnerability), I kindly request if this patch can be backported to bookworm and bullseye as a security fix? Due to the simplicity of the existing patch I was hoping this could be backported to supported releases before the cutover to trixie. Thank you! Regards Lloyd
