Regarding CVE"S in lua 5.1 and luajit 2.1.0 used in openresty nginx
55 views
Skip to first unread message
putta anoop
Feb 4, 2022, 2:30:29 AM2/4/22
to openresty-en
We are using open resty nginx version: nginx/1.17.10. And open resty uses Lua 5.1 and luajit 2.1. We build it from the code.
From the FAQ section, its mentioned that open resty doesnt support 5.2+ and also luajit 2.1 is highly recommended.
Is there any tentative timeline when open resty supports the latest versions of lua and luajit to get away with these CVE's?
Please help us with the details.
Thanks,
Anoop
Luis Gasca
Feb 4, 2022, 2:57:21 AM2/4/22
to openre...@googlegroups.com
About CVE-2020-15889
http://lua-users.org/lists/lua-l/2020-12/msg00157.html
>> As we told you repeatedly on IRC, the bug only affects 5.4.0. No other
>> version is affected. No backport is therefore required.
>> (both are fixed in 5.4.1)
About luajit 2.1.0 CVE-2020-24372
https://github.com/openresty/luajit2/pull/104
Patch was merged in Openresty
By merge date, probably fixed in the 1.19 series. Not completely sure about this one.
Regards,
Luis
http://lua-users.org/lists/lua-l/2020-12/msg00157.html
>> As we told you repeatedly on IRC, the bug only affects 5.4.0. No other
>> version is affected. No backport is therefore required.
>> (both are fixed in 5.4.1)
About luajit 2.1.0 CVE-2020-24372
https://github.com/openresty/luajit2/pull/104
Patch was merged in Openresty
By merge date, probably fixed in the 1.19 series. Not completely sure about this one.
Regards,
Luis
--
You received this message because you are subscribed to the Google Groups "openresty-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openresty-en...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openresty-en/59583963-659f-44e1-a22a-7525bd6999e7n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages