[pkg-lua-devel] luajit: CVE-2024-25176, CVE-2024-25177 and CVE-2024-25178
Yang Wang
yang.wang at windriver.com
Thu Jul 31 17:29:07 BST 2025
On 2025-07-31 01:00, Salvatore Bonaccorso wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> Hi,
>
> On Tue, Jul 29, 2025 at 11:59:30PM +0200, Santiago Ruano Rincón wrote:
>> Hello Yang,
>>
>> Em 29 de julho de 2025 21:02:12 GMT+02:00, Yang Wang <yang.wang at windriver.com> escreveu:
>>> Hi Debian Lua Team,
>>>
>>> I'm working on Debian contributions.
>>>
>>> I noticed that you're the maintainer of luajit in Debian.
>>>
>>> * https://security-tracker.debian.org/tracker/CVE-2024-25176
>>> * https://security-tracker.debian.org/tracker/CVE-2024-25177
>>> * https://security-tracker.debian.org/tracker/CVE-2024-25178
>>>
>>> Seems they have been fixed in Trixie/Sid.
>>>
>>> Do you think these HIGH CVE issues worth back-porting the fixes into Bookworm and Bullseye? And if I provide the back-port patches, would you merge them?
>>>
>>>
>>> Thanks,
>>> -Yang
>> ...
>>
>> Actually, it is up to the security team (in CC) to determine if a
>> package requires a security update via a DSA, or if a point update
>> would be a more suitable approach. It's their call.
> None of those warrant a DSA. I have updated the security-tracker to
> reflect that.
>
> FWIW: We do not use CVSS scores for our assessments.
> https://www.debian.org/security/faq#cve-severity-assessment
Thanks a lot for the response and clearly marked them as minor issues.
-Yang
>
> Regards,
> Salvatore
More information about the pkg-lua-devel
mailing list