[pkg-lua-devel] Lua security vulnerabilities in bullseye - plan for resolving?

[David W. Kennedy]

Hello,

Debian Tracker indicates that Lua5.1, 5.2, 5.3 and 5.4 have unresolved 
security vulnerabilities in bullseye. They're labeled low priority, but 
that seems to be an automatic label that DT gives them based on the fact 
that they have no Debian Security Advisory. The basis of this guess is 
what is written in the security team's FAQ about whether all CVEs are 
given DSAs. As a spot check, CVE-2019-6706 has a base severity score of 
7.5 High according to the NIST NVD, so I think it's misleading that DT 
is labeling the vulnerability as low priority.

Is there a plan for resolving these vulnerabilities? I looked through 
the security and security-announce mailing list archives, and I don't 
see discussion of lua in the past 2 years.

Lua5.1 and 5.2 are orphaned. Do you think that packages should 
immediately stop using them as dependencies, including in bullseye?

I'm a volunteer for the Debian package of 0ad, and I have found that lua 
is relevant for building premake5 from source. I don't want to use 
potentially vulnerable software for this, so is there mitigation advice 
and/or a plan to resolve the vulnerabilities?

Thanks.
-- 
Dave Kennedy