Ticket #44467

Lua-5.4.4 CVE-2022-28805

Date d'ouverture: 2022-04-26 04:13 Dernière mise à jour: 2022-04-28 02:54

Rapporteur:
Propriétaire:
Type:
État:
Atteints
Composant:
Priorité:
7
Sévérité:
5 - moyen
Résolution:
Fixed
Fichier:
2

Détails

CVE-2022-28805 affects our included lua, at least in branches using lua-5.4. Need to check if lua-5.3 (-> S3_0) is affected. Upstream fix is in https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa

Ticket History (3/9 Histories)

2022-04-26 04:13 Updated by: cazfi
  • New Ticket "Lua-5.4.4 CVE-2022-28805" created
2022-04-26 04:21 Updated by: cazfi
  • Jalon Update from (Aucun) to 3.0.2 (atteints)
  • Priorité Update from 5 - moyen to 7
Commentaire

Reply To cazfi

Need to check if lua-5.3 (-> S3_0) is affected.

At least code there is identical, and no advisory gives lower bound for affected versions.

2022-04-26 04:51 Updated by: cazfi
  • Propriétaire Update from (Aucun) to cazfi
  • Résolution Update from Aucun to Accepted
Commentaire

Going to apply to S2_6 too.

2022-04-26 22:05 Updated by: cazfi
Commentaire

This got me to draft an clarification to our commit rules concerning vulnerability fixes. http://www.freeciv.org/wiki/Commit_rules

Esp. Maintainers should check it, and comment if there's anything more to correct it.

2022-04-28 02:53 Updated by: cazfi
  • État Update from Ouvert to Atteints
  • Résolution Update from Accepted to Fixed
2022-04-28 02:54 Updated by: alienvalkyrie
  • État Update from Atteints to Ouvert
  • Résolution Update from Fixed to Accepted
Commentaire

Reply To cazfi

This got me to draft an clarification to our commit rules concerning vulnerability fixes. http://www.freeciv.org/wiki/Commit_rules Esp. Maintainers should check it, and comment if there's anything more to correct it.

Looks sensible to me.

2022-04-28 02:54 Updated by: alienvalkyrie
  • État Update from Ouvert to Atteints
  • Résolution Update from Accepted to Fixed

Modifier

Please login to add comment to this ticket » Connexion