[Git][security-tracker-team/security-tracker][master] Reserve DLA-3469-1 for lua5.3

Thu Jun 22 23:31:21 BST 2023


Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dea640db by Guilhem Moulin at 2023-06-23T00:30:38+02:00
Reserve DLA-3469-1 for lua5.3

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -205616,7 +205616,6 @@ CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and segmentatio
 	- lua5.4 5.4.1-1 (bug #971613)
 	- lua5.3 5.3.6-1 (bug #988734)
 	[bullseye] - lua5.3 <no-dsa> (Minor issue)
-	[buster] - lua5.3 <no-dsa> (Minor issue)
 	NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html
 	NOTE: (lua5.4) https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b
 	NOTE: (lua5.3) https://github.com/lua/lua/commit/b5bc89846721375fe30772eb8c5ab2786f362bf9
@@ -305479,7 +305478,6 @@ CVE-2019-6707 (PHPSHE 1.7 has SQL injection via the admin.php?mod=product&act=st
 CVE-2019-6706 (Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For examp ...)
 	- lua5.3 5.3.6-1 (bug #920321)
 	[bullseye] - lua5.3 <postponed> (Minor issue, revisit when fixed upstream)
-	[buster] - lua5.3 <postponed> (Minor issue)
 	- lua5.2 <not-affected> (Vulnerable code introduced later)
 	- lua5.1 <not-affected> (Vulnerable code introduced later)
 	- lua50 <not-affected> (Vulnerable code introduced later)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[23 Jun 2023] DLA-3469-1 lua5.3 - security update
+	{CVE-2019-6706 CVE-2020-24370}
+	[buster] - lua5.3 5.3.3-1.1+deb10u1
 [22 Jun 2023] DLA-3468-1 hsqldb1.8.0 - security update
 	{CVE-2023-1183}
 	[buster] - hsqldb1.8.0 1.8.0.10+dfsg-10+deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -120,12 +120,6 @@ libx11 (Adrian Bunk)
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
 --
-lua5.3 (guilhem)
-  NOTE: 20230621: Added by Front-Desk (Beuc)
-  NOTE: 20230621: A sponsor requested special attention to CVE-2019-6706 (which had been postponed waiting for a fix, now released)
-  NOTE: 20230621: Also fix the 2 other open CVEs if appropriate.
-  NOTE: 20230621: Please check with the security team if they'd be interested in a bullseye upload as well. (Beuc/front-desk)
---
 nova
   NOTE: 20230302: Re-add, request by maintainer (Beuc)
   NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dea640db7facf334373b3e58586e04ef33ed32f9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dea640db7facf334373b3e58586e04ef33ed32f9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230622/b88a5a2e/attachment-0001.htm>
