[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: CVE-2020-15889
- From: Bruno Vernay <brunovern.a@...>
- Date: Thu, 17 Dec 2020 20:51:42 +0100
My simple question would be:
If CVE-2020-15889 affects up to including 5.4.0, then where can I find
a patch to backport to previous versions like 5.3.5 ?
If it affects Lua since 5.4.0, then has it ever been fixed ?
Regards
Bruno
On Fri, Dec 11, 2020 at 2:00 PM Bruno Vernay <brunovern.a@gmail.com> wrote:
>
> Hi
>
> Here it read that versions up to 5.4 are affected
> https://vuldb.com/?id.158861 which is plain wrong, misleading and
> should be corrected.
> Here that versions from 5.4 are affected
> https://access.redhat.com/security/cve/cve-2020-15889 which is right I
> guess.
>
> Now I have a hard time finding a patch too.
> NIST references a "Patch"
> https://nvd.nist.gov/vuln/detail/CVE-2020-15889 very simple one line.
> I really doubt it fixes the CVE. Either NIST should be alerted, or
> the commit should contain an explicit info about the CVE.
>
> On IRC, I have been referred to ""it's bug #6 on here:
> https://www.lua.org/bugs.html#5.4.0-6 "
> and that the correct commit would be " correct commit:
> https://github.com/lua/lua/commit/31b8c2d4380a762d1ed6a7faee74a1d107f86014";
> But there is no reference to the CVE in any of the commits.
>
> It would help to clarify the situation with NIST, VulDB and reference
> the CVE in the commits (I understand there are no pull -request) or
> create an explicit patch like this
> http://cgit.openembedded.org/meta-openembedded/tree/meta-oe/recipes-devtools/lua/lua_5.3.5.bb?h=master
>
> Thanks
--
Bruno VERNAY
