[pkg-lua-devel] bullseye-security upload for CVE-2019-6706/lua5.3
Salvatore Bonaccorso
carnil at debian.org
Tue Jun 27 21:29:18 BST 2023
Hi Guilhem,
On Tue, Jun 27, 2023 at 12:34:30AM +0200, Guilhem Moulin wrote:
> Dear Security Team,
>
> I've been told that a Debian LTS sponsor requested a fix for CVE-2019-
> 6706/lua5.3, which I did (along with a fix for CVE-2020-24370) in the
> recent lua5.3=5.3.3-1.1+deb10u1 upload to buster-security.
>
> Unfortunately, that means the buster-security version is now higher than
> bullseye's/bullseye-security's, and that upgrading systems will regress.
>
> I know both of these CVEs are marked as <no-dsa>, but perhaps you would
> be willing to issue a DSA nonetheless? (tested debdiff enclosed.)
> If that's not an option, then Lua maintainers please consider an upload
> via bullseye-pu.
We do not plan to release a DSA for it. But you do not need to be the
maintainer to propose a bullseye-pu update. Assuming the Lua
maintainers do not object, you can go ahead on your own proposing the
fix via the next bullseye point release.
Can you approach the SRMs?
Regards,
Salvatore
More information about the pkg-lua-devel
mailing list