advisories icon indicating copy to clipboard operation
advisories copied to clipboard
Published 1 month ago verified publisher icon wolfi-dev

CVE-2020-15945: imprecise package information

Open xnox opened this issue 1 year ago • 3 comments

Description

https://images.chainguard.dev/security/CVE-2020-15945

Expand references, and navigate to debian tracker at https://security-tracker.debian.org/tracker/CVE-2020-15945

lua5.3 is not-affected, as the bug is specific to 5.4.0

Thus status should be package lua5.4 not affected, code not present as Wolfi has never shipped v5.4.0

xnox avatar Nov 22 '24 14:11 xnox

Lol impressive => imprecise

xnox avatar Nov 22 '24 14:11 xnox

Agreed: https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3#commitcomment-150387752

eslerm avatar Dec 16 '24 07:12 eslerm

In a conversation with MITRE and the upstream author, Roberto confirmed that the affected range of CVE-2020-15945 is since 5.4.0 and until 5.4.1 and referenced this bug/range as: https://www.lua.org/bugs.html#5.4.0-8

The MITRE CNA updated their CVE: https://github.com/CVEProject/cvelistV5/blame/21ba742890907c4ebbf76ed45c9c1f4d8832d73d/cves/2020/15xxx/CVE-2020-15945.json#L19 \o/

Many thanks Roberto and MITRE.

As the underlying CVE metadata in no longer incorrect, this should no longer be an issue. CVE scanners may be slow to update.

eslerm avatar Feb 19 '25 22:02 eslerm