Your message dated Tue, 27 Jun 2023 12:35:11 +0200 with message-id <ZJq7Xz6/BwoWF2pe@debian.org> and subject line Re: Bug#1034847: lua5.3: CVE-2021-43519 has caused the Debian Bug report #1034845, regarding lua5.1: CVE-2021-43519 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1034845: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034845 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: lua5.1: CVE-2021-43519
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Tue, 25 Apr 2023 20:57:19 +0200
- Message-id: <ZEgij1RDOYhgfgbw@pisco.westfalen.local>
Source: lua5.1 X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for lua5.1. CVE-2021-43519[0]: | Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 | allows attackers to perform a Denial of Service via a crafted script | file. http://lua-users.org/lists/lua-l/2021-10/msg00123.html http://lua-users.org/lists/lua-l/2021-11/msg00015.html Fixed by: https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-43519 https://www.cve.org/CVERecord?id=CVE-2021-43519 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1034845-done@bugs.debian.org, 1034846-done@bugs.debian.org, 1034847-done@bugs.debian.org
- Cc: security@debian.org
- Subject: Re: Bug#1034847: lua5.3: CVE-2021-43519
- From: Guilhem Moulin <guilhem@debian.org>
- Date: Tue, 27 Jun 2023 12:35:11 +0200
- Message-id: <ZJq7Xz6/BwoWF2pe@debian.org>
- Mail-followup-to: Guilhem Moulin <guilhem@debian.org>, 1034845-done@bugs.debian.org, 1034846-done@bugs.debian.org, 1034847-done@bugs.debian.org, security@debian.org
- In-reply-to: <ZJX3QTCJElgTlBV7@eldamar.lan>
- References: <ZEgiuFq4jOcOYqdp@pisco.westfalen.local> <ZJRyB1ON8wdTqrCx@debian.org> <ZEgiuFq4jOcOYqdp@pisco.westfalen.local> <ZJVzlKZz5qTieSlc@debian.org> <ZJX3QTCJElgTlBV7@eldamar.lan>
Hi, On Fri, 23 Jun 2023 at 21:49:21 +0200, Salvatore Bonaccorso wrote: > Your analysis at first glance seems to make sense, but to be on safe > side, unless jmm seems it to fit, I would rather go with the still > affected, but ignored for stable and older suites. > > If you can prod upstream to double-check with them if you have indeed > found the introducing commit, then we can update the CVE entry > accordingly. Closing #103484[567] per upstream reply at http://lua-users.org/lists/lua-l/2023-06/msg00063.html and https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b6a9341 . -- Guilhem.Attachment: signature.asc
Description: PGP signature
--- End Message ---