Package: mini-httpd
Version: 1.30-3
Severity: serious
Tags: security
Hello - mini-httpd as-built in bullseye and bookworm (package versions 1.30-2+b1 and 1.30-3) do not emit logs when CGI scripts are called.
This was fixed in bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516307
While great news, the change was only pushed to unstable/testing. Due to the security implication of the bug (if an attacker accesses a vulnerable CGI script, no evidence would be left, this is a vulnerability), I kindly request if this patch can be backported to bookworm and bullseye as a security fix?
Due to the simplicity of the existing patch I was hoping this could be backported to supported releases before the cutover to trixie. Thank you!
Regards
Lloyd
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)