-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: lua security update Advisory ID: RHSA-2023:0957-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:0957 Issue date: 2023-02-28 CVE Names: CVE-2021-43519 CVE-2021-44964 ===================================================================== 1. Summary: An update for lua is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64 3. Description: The lua packages provide support for Lua, a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Security Fix(es): * lua: use after free allows Sandbox Escape (CVE-2021-44964) * lua: stack overflow in lua_resume of ldo.c allows a DoS via a crafted script file (CVE-2021-43519) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2047672 - CVE-2021-43519 lua: stack overflow in lua_resume of ldo.c allows a DoS via a crafted script file 2064772 - CVE-2021-44964 lua: use after free allows Sandbox Escape 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): aarch64: lua-5.4.4-2.el9_1.aarch64.rpm lua-debuginfo-5.4.4-2.el9_1.aarch64.rpm lua-debugsource-5.4.4-2.el9_1.aarch64.rpm lua-libs-debuginfo-5.4.4-2.el9_1.aarch64.rpm ppc64le: lua-5.4.4-2.el9_1.ppc64le.rpm lua-debuginfo-5.4.4-2.el9_1.ppc64le.rpm lua-debugsource-5.4.4-2.el9_1.ppc64le.rpm lua-libs-debuginfo-5.4.4-2.el9_1.ppc64le.rpm s390x: lua-5.4.4-2.el9_1.s390x.rpm lua-debuginfo-5.4.4-2.el9_1.s390x.rpm lua-debugsource-5.4.4-2.el9_1.s390x.rpm lua-libs-debuginfo-5.4.4-2.el9_1.s390x.rpm x86_64: lua-5.4.4-2.el9_1.x86_64.rpm lua-debuginfo-5.4.4-2.el9_1.x86_64.rpm lua-debugsource-5.4.4-2.el9_1.x86_64.rpm lua-libs-debuginfo-5.4.4-2.el9_1.x86_64.rpm Red Hat Enterprise Linux BaseOS (v. 9): Source: lua-5.4.4-2.el9_1.src.rpm aarch64: lua-debuginfo-5.4.4-2.el9_1.aarch64.rpm lua-debugsource-5.4.4-2.el9_1.aarch64.rpm lua-libs-5.4.4-2.el9_1.aarch64.rpm lua-libs-debuginfo-5.4.4-2.el9_1.aarch64.rpm ppc64le: lua-debuginfo-5.4.4-2.el9_1.ppc64le.rpm lua-debugsource-5.4.4-2.el9_1.ppc64le.rpm lua-libs-5.4.4-2.el9_1.ppc64le.rpm lua-libs-debuginfo-5.4.4-2.el9_1.ppc64le.rpm s390x: lua-debuginfo-5.4.4-2.el9_1.s390x.rpm lua-debugsource-5.4.4-2.el9_1.s390x.rpm lua-libs-5.4.4-2.el9_1.s390x.rpm lua-libs-debuginfo-5.4.4-2.el9_1.s390x.rpm x86_64: lua-debuginfo-5.4.4-2.el9_1.i686.rpm lua-debuginfo-5.4.4-2.el9_1.x86_64.rpm lua-debugsource-5.4.4-2.el9_1.i686.rpm lua-debugsource-5.4.4-2.el9_1.x86_64.rpm lua-libs-5.4.4-2.el9_1.i686.rpm lua-libs-5.4.4-2.el9_1.x86_64.rpm lua-libs-debuginfo-5.4.4-2.el9_1.i686.rpm lua-libs-debuginfo-5.4.4-2.el9_1.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): aarch64: lua-debuginfo-5.4.4-2.el9_1.aarch64.rpm lua-debugsource-5.4.4-2.el9_1.aarch64.rpm lua-devel-5.4.4-2.el9_1.aarch64.rpm lua-libs-debuginfo-5.4.4-2.el9_1.aarch64.rpm ppc64le: lua-debuginfo-5.4.4-2.el9_1.ppc64le.rpm lua-debugsource-5.4.4-2.el9_1.ppc64le.rpm lua-devel-5.4.4-2.el9_1.ppc64le.rpm lua-libs-debuginfo-5.4.4-2.el9_1.ppc64le.rpm s390x: lua-debuginfo-5.4.4-2.el9_1.s390x.rpm lua-debugsource-5.4.4-2.el9_1.s390x.rpm lua-devel-5.4.4-2.el9_1.s390x.rpm lua-libs-debuginfo-5.4.4-2.el9_1.s390x.rpm x86_64: lua-5.4.4-2.el9_1.i686.rpm lua-debuginfo-5.4.4-2.el9_1.i686.rpm lua-debuginfo-5.4.4-2.el9_1.x86_64.rpm lua-debugsource-5.4.4-2.el9_1.i686.rpm lua-debugsource-5.4.4-2.el9_1.x86_64.rpm lua-devel-5.4.4-2.el9_1.i686.rpm lua-devel-5.4.4-2.el9_1.x86_64.rpm lua-libs-debuginfo-5.4.4-2.el9_1.i686.rpm lua-libs-debuginfo-5.4.4-2.el9_1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-43519 https://access.redhat.com/security/cve/CVE-2021-44964 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY/3zp9zjgjWX9erEAQjZig/8DnekOlyH0F4wxM8JExw/EMzzJEZKaYfL fwMZdWcc68YOglJFmKP7sLe0uC0qKlHIXnqVZ01zzmqXrLqIXPf4zigeJKDnCyOs 2nTFnYADXiCsjMUBvWBIV9CRP2pV+yp807GlghPPM4bz7jDMN541wXPXuPKR8twR hZrWeHmpC4f7pnC0sTao1xcD3v17q+38QBGadDrdWXSN77HlWR7nume4XKMM0zcd agDKE4JqH/nwhasvTEnRNQ4YdNR85vnI7tK/3dTQXTMmlWZy/V91WVQTqPlCiMF/ wnrzhhh2XsbyMs3xpCozDk3sxytVwRKD64zBrKoqqcC1NpKkeSFiMVpcobOvH+pm vnI15LGw4oERta//yzZga7W90tkIsVrfKELaVdUCaDuszFPVHbQTEaNYM7U7i+Jn z7RoruIBp47JnvefKH12wWUbIRDWKxe3EVZ+8pzfA4BYYwkEa43wNCrhxm8kWg82 OHHV9vZqS5XCd+iWwBGH2WtQCB4qgXsW7UGzFCj+t9CGRy5o5F24fLvP2VHMWS+O aGolbYylUoL95KEIpsKa32kMXT0ZRzYAcjz+IzhW7qTS2F9BRmFxRAjRYIiGLm8g SxlU8mVazPXUXXI5mZtiYNPUOxHVjVQixRp5C+DCxdU4piz4MxTMeVVpHgN8MchW ejQzMcIJKd0= =Cs1f -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce