Your message dated Thu, 24 Apr 2025 15:13:42 +0000
with message-id <e1u7ygk-000apu...@fasolo.debian.org>
and subject line Bug#1051511: fixed in lua-http 0.4-2
has caused the Debian Bug report #1051511,
regarding lua-http: CVE-2023-4540
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1051511: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051511
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: lua-http
Version: 0.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for lua-http.
CVE-2023-4540[0]:
| Improper Handling of Exceptional Conditions vulnerability in
| Daurnimator lua-http library allows Excessive Allocation and a
| denial of service (DoS) attack to be executed by sending a properly
| crafted request to the server. This issue affects lua-http: all
| versions before commit ddab283.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-4540
https://www.cve.org/CVERecord?id=CVE-2023-4540
[1]
https://github.com/daurnimator/lua-http/commit/ddab2835c583d45dec62680ca8d3cbde55e0bae6
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: lua-http
Source-Version: 0.4-2
Done: Jakub Ružička <j...@debian.org>
We believe that the bug you reported is fixed in the latest version of
lua-http, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1051...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jakub Ružička <j...@debian.org> (supplier of updated lua-http package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 24 Apr 2025 14:15:44 +0200
Source: lua-http
Architecture: source
Version: 0.4-2
Distribution: unstable
Urgency: medium
Maintainer: Jakub Ružička <j...@debian.org>
Changed-By: Jakub Ružička <j...@debian.org>
Closes: 1051511
Changes:
lua-http (0.4-2) unstable; urgency=medium
.
[ Debian Janitor ]
* Remove constraints unnecessary since buster (oldstable)
.
[ Jakub Ružička ]
* Make myself Maintainer
* Bump Standards-Version to 4.7.2. No changes required
* patch: handle EOF when body_read_type==length (CVE-2023-4540, Closes:
#1051511)
Checksums-Sha1:
7c6ea76e99f10629e0047dec388dfc6fe55c074a 1978 lua-http_0.4-2.dsc
bba6c6aabc035c6ce699c9d25edb646baf2f00e3 4916 lua-http_0.4-2.debian.tar.xz
a877422f57b3f171a047377f66c0afcad113464d 6769 lua-http_0.4-2_source.buildinfo
Checksums-Sha256:
1578148c43cb5b92f3574dab83c2790eaf6ebbff2a4890353bcd09ebc34ce101 1978
lua-http_0.4-2.dsc
6665448a4c04e2cef59f3954b3430906b1a084027b12f338b7384d846f15b1e6 4916
lua-http_0.4-2.debian.tar.xz
e548196543aed156812cd950bc26ebfb31c544cca89754c4d6f16a31e130f99d 6769
lua-http_0.4-2_source.buildinfo
Files:
40ab11e578b50c5e80ce9c2bacb0bf3e 1978 interpreters optional lua-http_0.4-2.dsc
ff9d678b953e9d8dcc3b307b272f13ad 4916 interpreters optional
lua-http_0.4-2.debian.tar.xz
8fe030a2118f70ec5a2a4eefbf7d5913 6769 interpreters optional
lua-http_0.4-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEI+vPfo/EdVZ4cQDfpCVAcuNzBCwFAmgKTtkACgkQpCVAcuNz
BCzdTxAAnfcxsm64/XRoCdKgf8cByHJvpuRL5PAdOL4d37AL8yh0iZyK1JiS5lLA
maA+w+uDJzV6FMqxCc9zbAFM3OK/8Vw1IFP06TYyeMCereoSevJFN148gQi9koSG
cXkURb7IMLbHu3z0RBfa5LQ9zO4k8jb8pvkUt/6U9RPeUxzqrpWF9khYxGDCiYxN
m7WdLU44ca62oyrLq4CJd+N9IR09x+gNNs5JD9X5hVJwpGDcW9g/qwA0vX6Wi9eF
EEmCaiqIHr5EThvvrwwYIVNZFbpFr/CYwhhZabMu53Ad6wQ9k7bY6F+39XuBwpXr
SWVD8D725apBFuL2rjVTuw5XPl0ykmJ/IXnMefB8E9f3vTG7okYuHGtBcEZk6esw
/0C/1ikM7b568zPZktCT2+I5KdpVtldbD8XdHML72MHXb44Rxh6A6yPXZuIxjRgE
R5oqMLZcfeKMo8XYmHxFrzE235nbZcr7xI66Ob39EUjYWmS7L1QKnl49L7VgizxY
kJ+5dnw4x08SH4cVD6jab4B3EpmnKzBlvH4/7oeC1CryRi1Caaqx+otOaiTs6r8Y
5sREOh/e981sV3IMgAu9a4fXzBRZSCPdQUXlecXRM+v0dwg9N2k5MQZASs22h5J5
t5oiLHsmSxUtk7/itiKclIYAGLD7F1TBIJojc3swcIroo32g0Vc=
=lR6Z
-----END PGP SIGNATURE-----
pgpQ0aTDdVj1K.pgp
Description: PGP signature
--- End Message ---
