Slightly reorganize notes for CVE-2014-2875

Add the original CVE bug to the source package and expand explanation why the issue is not exploitable according to the analysis from Brian May.
author: Salvatore Bonaccorso <carnil@debian.org> 2020-03-31 23:11:50 +0200
committer: Salvatore Bonaccorso <carnil@debian.org> 2020-03-31 23:11:50 +0200
commit: 9dcdb41c6f00d1c7056ea6fcaee365b650a62ca9 (patch)
tree: ed2f8488096039c6fa022f0a6a35b7eb51bf701b /data/CVE/list.2014
parent: bd4e189fb3f167fc2e7f9e248f4c8918afb3ac16 (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/data/CVE/list.2014 b/data/CVE/list.2014
index cf502428b9..30355fa033 100644
--- a/data/CVE/list.2014
+++ b/data/CVE/list.2014
@@ -19574,11 +19574,10 @@ CVE-2014-2877
 CVE-2014-2876
 	RESERVED
 CVE-2014-2875 (The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses wea ...)
-	- lua-cgi <unfixed> (unimportant)
+	- lua-cgi <unfixed> (unimportant; bug #953037)
 	NOTE: https://github.com/keplerproject/cgilua/issues/17
-	NOTE: https://bugs.debian.org/953037
-	NOTE: https://bugs.debian.org/954300
-	NOTE: The code itself is broken and thus cannot be exploited per se if not fixed.
+	NOTE: The code itself is broken and thus cannot be exploited per se if not fixed,
+	NOTE: see details in https://bugs.debian.org/954300
 CVE-2014-XXXX [Insecure default permissions for ~/.virtualenvs and scripts]
 	- virtualenvwrapper 4.3-1 (low; bug #745580)
 	[wheezy] - virtualenvwrapper <no-dsa> (Minor issue)
author	Salvatore Bonaccorso <carnil@debian.org>	2020-03-31 23:11:50 +0200
committer	Salvatore Bonaccorso <carnil@debian.org>	2020-03-31 23:11:50 +0200
commit	9dcdb41c6f00d1c7056ea6fcaee365b650a62ca9 (patch)
tree	ed2f8488096039c6fa022f0a6a35b7eb51bf701b /data/CVE/list.2014
parent	bd4e189fb3f167fc2e7f9e248f4c8918afb3ac16 (diff)