[pkg-lua-devel] luajit: CVE-2024-25176, CVE-2024-25177 and CVE-2024-25178
Yang Wang
yang.wang at windriver.com
Wed Jul 30 18:46:45 BST 2025
On 2025-07-29 17:59, Santiago Ruano Rincón wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> Hello Yang,
>
> Em 29 de julho de 2025 21:02:12 GMT+02:00, Yang Wang <yang.wang at windriver.com> escreveu:
>> Hi Debian Lua Team,
>>
>> I'm working on Debian contributions.
>>
>> I noticed that you're the maintainer of luajit in Debian.
>>
>> * https://security-tracker.debian.org/tracker/CVE-2024-25176
>> * https://security-tracker.debian.org/tracker/CVE-2024-25177
>> * https://security-tracker.debian.org/tracker/CVE-2024-25178
>>
>> Seems they have been fixed in Trixie/Sid.
>>
>> Do you think these HIGH CVE issues worth back-porting the fixes into Bookworm and Bullseye? And if I provide the back-port patches, would you merge them?
>>
>>
>> Thanks,
>> -Yang
> ...
>
> Actually, it is up to the security team (in CC) to determine if a package requires a security update via a DSA, or if a point update would be a more suitable approach. It's their call.
Thanks! Could someone form security team make a comment here?
Appreciated,
-Yang
>
> Thanks,
>
> Santiago
More information about the pkg-lua-devel
mailing list