[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: CVE-2020-15889
- From: Bruno Vernay <brunovern.a@...>
- Date: Fri, 11 Dec 2020 14:00:13 +0100
Hi
Here it read that versions up to 5.4 are affected
https://vuldb.com/?id.158861 which is plain wrong, misleading and
should be corrected.
Here that versions from 5.4 are affected
https://access.redhat.com/security/cve/cve-2020-15889 which is right I
guess.
Now I have a hard time finding a patch too.
NIST references a "Patch"
https://nvd.nist.gov/vuln/detail/CVE-2020-15889 very simple one line.
I really doubt it fixes the CVE. Either NIST should be alerted, or
the commit should contain an explicit info about the CVE.
On IRC, I have been referred to ""it's bug #6 on here:
https://www.lua.org/bugs.html#5.4.0-6 "
and that the correct commit would be " correct commit:
https://github.com/lua/lua/commit/31b8c2d4380a762d1ed6a7faee74a1d107f86014"
But there is no reference to the CVE in any of the commits.
It would help to clarify the situation with NIST, VulDB and reference
the CVE in the commits (I understand there are no pull -request) or
create an explicit patch like this
http://cgit.openembedded.org/meta-openembedded/tree/meta-oe/recipes-devtools/lua/lua_5.3.5.bb?h=master
Thanks