Skip to content

Commit

Permalink
luci-app-bmx6: drop this because of security vulnerabilities
Browse files Browse the repository at this point in the history
DependencyBot, which are using is sending us emails about these CVEs:
CVE-2012-6708
CVE-2020-23064
CVE-2019-11358

This was reported to maintainer in April 2023, but no one stepped it to fix that,
so let's drop this.

Replacement could be luci-app-bmx7.

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
  • Loading branch information
BKPepe committed Sep 29, 2023
1 parent 9fb9d93 commit c2124dd
Show file tree
Hide file tree
Showing 33 changed files with 0 additions and 2,771 deletions.
339 changes: 0 additions & 339 deletions luci-app-bmx6/COPYING

This file was deleted.

99 changes: 0 additions & 99 deletions luci-app-bmx6/Makefile

This file was deleted.

7 changes: 0 additions & 7 deletions luci-app-bmx6/bmx6/etc/config/luci-bmx6

This file was deleted.

277 changes: 0 additions & 277 deletions luci-app-bmx6/bmx6/usr/lib/lua/luci/controller/bmx6.lua

This file was deleted.

Loading

2 comments on commit c2124dd

@rogerpueyo
Copy link
Contributor

@rogerpueyo rogerpueyo commented on c2124dd Oct 7, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May we have the opportunity to add the package back if I fix these vulnerabilities? @BKPepe

@BKPepe
Copy link
Member Author

@BKPepe BKPepe commented on c2124dd Oct 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mhm.., I was thinking about that, but no. I need to be strict and honest with you. Those vulnerabilities were left here for almost 6 month without any attention. We were getting weekly reports about new vulnerabilities and also it got our attention when we pushed something to the master branch via CLI. Okay, that's one thing. Why does only this app need to bundle jquery? It is not sufficient to fix that. It needs to be refactored because no apps are bundling it in the LuCI repository. The other thing is that there were a few issues reported to us in this repository about this package, and no one has cared about that for 2-3 years.

To sum it up - no, this package is not maintained here, bmx6 has not received any new commits since 2018 (sorry, I don't count fixing smth in README about Wikipedia's URL).

To me, overall, it is dead. There's no point to revive it. Switch to bmx7, if possible.

Please sign in to comment.