[pkg-lua-devel] luajit: CVE-2024-25176, CVE-2024-25177 and CVE-2024-25178
Salvatore Bonaccorso
carnil at debian.org
Thu Jul 31 06:00:26 BST 2025
Hi,
On Tue, Jul 29, 2025 at 11:59:30PM +0200, Santiago Ruano Rincón wrote:
> Hello Yang,
>
> Em 29 de julho de 2025 21:02:12 GMT+02:00, Yang Wang <yang.wang at windriver.com> escreveu:
> >Hi Debian Lua Team,
> >
> >I'm working on Debian contributions.
> >
> >I noticed that you're the maintainer of luajit in Debian.
> >
> > * https://security-tracker.debian.org/tracker/CVE-2024-25176
> > * https://security-tracker.debian.org/tracker/CVE-2024-25177
> > * https://security-tracker.debian.org/tracker/CVE-2024-25178
> >
> >Seems they have been fixed in Trixie/Sid.
> >
> >Do you think these HIGH CVE issues worth back-porting the fixes into Bookworm and Bullseye? And if I provide the back-port patches, would you merge them?
> >
> >
> >Thanks,
> >-Yang
>
> ...
>
> Actually, it is up to the security team (in CC) to determine if a
> package requires a security update via a DSA, or if a point update
> would be a more suitable approach. It's their call.
None of those warrant a DSA. I have updated the security-tracker to
reflect that.
FWIW: We do not use CVSS scores for our assessments.
https://www.debian.org/security/faq#cve-severity-assessment
Regards,
Salvatore
More information about the pkg-lua-devel
mailing list