Red Hat Security Advisory 2023-1211-01

Red Hat Security Advisory 2023-1211-01: Posted Mar 15, 2023; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2023-1211-01 - The lua packages provide support for Lua, a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Issues addressed include denial of service and use-after-free vulnerabilities.; tags | advisory, denial of service, vulnerability; systems | linux, redhat; advisories | CVE-2021-43519, CVE-2021-44964; SHA-256 | 5396afc103b8ffb5326b7ab62ff38a74445264e3e9eb7ae9126d459719b4a406; Download | Favorite | View

Red Hat Security Advisory 2023-1211-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: lua security update
Advisory ID:       RHSA-2023:1211-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1211
Issue date:        2023-03-14
CVE Names:         CVE-2021-43519 CVE-2021-44964 
=====================================================================

1. Summary:

An update for lua is now available for Red Hat Enterprise Linux 9.0
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64

3. Description:

The lua packages provide support for Lua, a powerful light-weight
programming language designed for extending applications. Lua is also
frequently used as a general-purpose, stand-alone language.

The following packages have been upgraded to a later upstream version: lua
(5.4.4).

Security Fix(es):

* lua: use after free allows Sandbox Escape (CVE-2021-44964)

* lua: stack overflow in lua_resume of ldo.c allows a DoS via a crafted
script file (CVE-2021-43519)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2047672 - CVE-2021-43519 lua: stack overflow in lua_resume of ldo.c allows a DoS via a crafted script file
2064772 - CVE-2021-44964 lua: use after free allows Sandbox Escape

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

aarch64:
lua-5.4.4-1.el9_0.1.aarch64.rpm
lua-debuginfo-5.4.4-1.el9_0.1.aarch64.rpm
lua-debugsource-5.4.4-1.el9_0.1.aarch64.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.aarch64.rpm

ppc64le:
lua-5.4.4-1.el9_0.1.ppc64le.rpm
lua-debuginfo-5.4.4-1.el9_0.1.ppc64le.rpm
lua-debugsource-5.4.4-1.el9_0.1.ppc64le.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.ppc64le.rpm

s390x:
lua-5.4.4-1.el9_0.1.s390x.rpm
lua-debuginfo-5.4.4-1.el9_0.1.s390x.rpm
lua-debugsource-5.4.4-1.el9_0.1.s390x.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.s390x.rpm

x86_64:
lua-5.4.4-1.el9_0.1.x86_64.rpm
lua-debuginfo-5.4.4-1.el9_0.1.x86_64.rpm
lua-debugsource-5.4.4-1.el9_0.1.x86_64.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.x86_64.rpm

Red Hat Enterprise Linux BaseOS EUS (v.9.0):

Source:
lua-5.4.4-1.el9_0.1.src.rpm

aarch64:
lua-debuginfo-5.4.4-1.el9_0.1.aarch64.rpm
lua-debugsource-5.4.4-1.el9_0.1.aarch64.rpm
lua-libs-5.4.4-1.el9_0.1.aarch64.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.aarch64.rpm

ppc64le:
lua-debuginfo-5.4.4-1.el9_0.1.ppc64le.rpm
lua-debugsource-5.4.4-1.el9_0.1.ppc64le.rpm
lua-libs-5.4.4-1.el9_0.1.ppc64le.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.ppc64le.rpm

s390x:
lua-debuginfo-5.4.4-1.el9_0.1.s390x.rpm
lua-debugsource-5.4.4-1.el9_0.1.s390x.rpm
lua-libs-5.4.4-1.el9_0.1.s390x.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.s390x.rpm

x86_64:
lua-debuginfo-5.4.4-1.el9_0.1.i686.rpm
lua-debuginfo-5.4.4-1.el9_0.1.x86_64.rpm
lua-debugsource-5.4.4-1.el9_0.1.i686.rpm
lua-debugsource-5.4.4-1.el9_0.1.x86_64.rpm
lua-libs-5.4.4-1.el9_0.1.i686.rpm
lua-libs-5.4.4-1.el9_0.1.x86_64.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.i686.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.9.0):

aarch64:
lua-debuginfo-5.4.4-1.el9_0.1.aarch64.rpm
lua-debugsource-5.4.4-1.el9_0.1.aarch64.rpm
lua-devel-5.4.4-1.el9_0.1.aarch64.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.aarch64.rpm

ppc64le:
lua-debuginfo-5.4.4-1.el9_0.1.ppc64le.rpm
lua-debugsource-5.4.4-1.el9_0.1.ppc64le.rpm
lua-devel-5.4.4-1.el9_0.1.ppc64le.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.ppc64le.rpm

s390x:
lua-debuginfo-5.4.4-1.el9_0.1.s390x.rpm
lua-debugsource-5.4.4-1.el9_0.1.s390x.rpm
lua-devel-5.4.4-1.el9_0.1.s390x.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.s390x.rpm

x86_64:
lua-5.4.4-1.el9_0.1.i686.rpm
lua-debuginfo-5.4.4-1.el9_0.1.i686.rpm
lua-debuginfo-5.4.4-1.el9_0.1.x86_64.rpm
lua-debugsource-5.4.4-1.el9_0.1.i686.rpm
lua-debugsource-5.4.4-1.el9_0.1.x86_64.rpm
lua-devel-5.4.4-1.el9_0.1.i686.rpm
lua-devel-5.4.4-1.el9_0.1.x86_64.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.i686.rpm
lua-libs-debuginfo-5.4.4-1.el9_0.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-43519
https://access.redhat.com/security/cve/CVE-2021-44964
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZBCPdNzjgjWX9erEAQijQw/+PAUHPPT6ReT++SM/MKYXHBp8fCo9rKCQ
uuvMz1itTQjP4iSBGKFBLuBKfQC8oTK5Sn1uy2lZvY3ECNbPSOQUJSCurdDNXCvn
VOu/yDiZktCHXO1rzU0IHXM4FnyJSTrJEODOm+pYC3gakP8EZRAoDDMOLbzVz8gB
NgsvCo9GfRmeFXtd7TDbbpMuPEcYHnjz0TfxcH++Vk7IeV9Ka6Z74VD3erFQgAmu
BrR8nI7IHqssbp/8MVyhXN1SZxwlnX4UsgqB+b5QQTdiT/ARgCjB2e6spF4qtfX/
9EUPaYNrVf6JQTbSRmPxsDMD9XPJO/YNS2FaBrM8BFU18JDMWLYSfA9+Wg5T7u6K
Hmq67QnsoVX08uPFkThCFR0PqQb1lSY5GS5x0ZpIN1/4wzhwZSRzGYCtexzSMzLz
Y2HD9hGZziscE2Ae9OG6UQr3uylyd43ZkCtePUtyJ9gYDOE3gfqesSZgwIxnhHzE
aMulcXnXo59e6aK041hAfbMbFkwrcCkEDhxsLoxSc3L+IvTr62Fw8s6gv9q0wEPD
VDLEzAg8m46LmvNmzmeb+RQkEzTXNfTD3Lo9tzjdwb1osxqVG9tK7SKuDds2NVbw
xvU+3lzfzrkipOnivoVEXJZVQJMpm443ApIPTvQfHEjTPm4lkDBgyKXVm/PRMUDM
vZY2mF08dBQ=
=r9xp
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Red Hat Security Advisory 2023-1211-01

Red Hat Security Advisory 2023-1211-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2023-1211-01

Share This

Red Hat Security Advisory 2023-1211-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems