Gentoo Archives: gentoo-dev

From: Peter Stuge <peter@×××××.se>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Last rites: www-servers/boa
Date: Mon, 28 Nov 2022 07:45:44
Message-Id: 20221128074532.10874.qmail@stuge.se
In Reply to: [gentoo-dev] Last rites: www-servers/boa by John Helmert III
1 John Helmert III wrote:
2 > # John Helmert III <ajak@g.o> (2022-11-27)
3 > # Unmaintained upstream, several unresolved public vulnerabilities,
4 > # Removal in 30 days. Bug #882773.
5 > www-servers/boa
6
7 This is bogus, please revert.
8
9 Who are you to declare unmaintained? It's a simple program so maybe
10 it simply needs no further change.
11
12 Anyway, none of the three CVEs you list in #882773 are valid.
13
14 CVE-2022-44117 is an empty claim with no detail at all. And as mgorny
15 points out, boa does not have anything to do with SQL.
16
17 CVE-2021-33558 and CVE-2017-9833 refer to issues in applications or
18 appliances which use boa. They have nothing to do with boa itself.
19 The named files do not exist in the boa package.
20
21 Shouldn't this process work a lot better?
22
23
24 Thanks
25
26 //Peter

Replies

Subject Author
Re: [gentoo-dev] Last rites: www-servers/boa "Michał Górny" <mgorny@g.o>