[pkg-lua-devel] Lua security vulnerabilities in bullseye - plan for resolving?

David W. Kennedy dave_k at reasoned.us
Thu Sep 29 20:01:43 BST 2022 

On 2022-09-29 00:43, Salvatore Bonaccorso wrote:
>                                                                 The
> issues are as well not warranting a DSA and so a security-update. But
> given times available from contributors they can be fixed in any
> upcoming bullseye point release.

Salvatore, I see that you're on the Debian security team. Can you please 
help clear up some questions that I have about this? I appreciate the 
work that the Debian security team is doing, and the security tracker's 
convenient list of security advisory fix status for each package. Also, 
I acknowledge that the security team only promises to coordinate 
security fixes, not necessarily write fixes themselves.

What is the basis of your statement that the issues do not warrant a DSA 
and security-update? CVE-2019-6706 and CVE-2022-33099, for example, have 
a "7.5 High" base severity score in the NIST national vulnerability 
database. CVE-2022-28805 has a "9.1 Critical" base severity score. 
There're indicated as having network attack vectors and no 
authentication necessary to exploit. Maybe I'm missing something here, 
but that doesn't seem minor to me.

Is the Debian security team's policy about how to classify 
vulnerabilities to low priority instead of regular priority published 
somewhere? I would like to be able to properly recognize security issues 
that are so minor that they do not warrant issuance of a DSA. This way I 
can avoid interrupting the security team about such issues.

Is there any writing online with the rationale of the debian-security 
team's decision about whether to issue a DSA for these unfixed 
vulnerabilities, and an indication of which security team members 
reviewed the vulnerabilities?

For reference, this is a list of the unfixed security vulnerabilities 
according to the security tracker. Most of these are unfixed in 
bullseye, some are unfixed in sid and bookwork.

lua5.4
CVE-2021-43519
CVE-2021-44647
CVE-2021-44964
CVE-2022-28805
CVE-2022-33099

lua5.3
CVE-2019-6706
CVE-2020-24370
CVE-2021-43519

lua5.2
CVE-2021-43519

lua5.1
CVE-2021-43519

Thanks.

-- 
Dave Kennedy

More information about the pkg-lua-devel mailing list