Debian Package Tracker

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

more than one main upstream tarballs listed.

Created: 2020-07-01 Last update: 2020-10-27 01:05

A new upstream version is available: 5.4.1 high

A new upstream version 5.4.1 is available, you should consider packaging it.

Created: 2020-10-10 Last update: 2020-10-27 01:05

6 security issues in sid high

There are 6 open security issues in sid.

6 important issues:

CVE-2020-15888: Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.
CVE-2020-15945: Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.
CVE-2020-24342: Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.
CVE-2020-24369: ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.
CVE-2020-24370: ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).
CVE-2020-24371: lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.

Please fix them.

Created: 2020-07-26 Last update: 2020-10-12 23:25

6 security issues in bullseye high

There are 6 open security issues in bullseye.

6 important issues:

CVE-2020-15888: Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.
CVE-2020-15945: Lua through 5.4.0 has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.
CVE-2020-24342: Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.
CVE-2020-24369: ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.
CVE-2020-24370: ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).
CVE-2020-24371: lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.

Please fix them.

Created: 2020-07-26 Last update: 2020-10-12 23:25

lua5.4