There are 3 open security issues in bullseye.
2 issues left for the package maintainer to handle:
- CVE-2019-6706:
(postponed; to be fixed through a stable update)
Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.
- CVE-2020-24370:
(needs triaging)
ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).
You can find information about how to handle these issues in the security team's documentation.
1 ignored issue:
- CVE-2021-43519:
Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file.