Amazon Linux 2022 Security Advisory: ALAS-2022-146
Advisory Release Date: 2022-10-03 21:26 Pacific
Advisory Updated Date: 2022-10-13 18:48 Pacific
Severity:
Medium
Issue Overview:
A heap buffer-overflow vulnerability was found in Lua. The flaw occurs due to vulnerable code present in the lparser.c function of Lua that allows the execution of untrusted Lua code into a system, resulting in malicious activity. (CVE-2022-28805)
A vulnerability was found in Lua. During error handling, the luaG_errormsg() component uses slots from EXTRA_STACK. Some errors can recur such as a string overflow while creating an error message in luaG_runerror, or a C-stack overflow before calling the message handler, causing a crash that leads to a denial of service. (CVE-2022-33099)
Affected Packages:
lua
Issue Correction:
Run dnf update lua --releasever=2022.0.20221012 to update your system.
New Packages:
aarch64:
lua-libs-debuginfo-5.4.4-3.amzn2022.aarch64
lua-debuginfo-5.4.4-3.amzn2022.aarch64
lua-static-5.4.4-3.amzn2022.aarch64
lua-5.4.4-3.amzn2022.aarch64
lua-devel-5.4.4-3.amzn2022.aarch64
lua-libs-5.4.4-3.amzn2022.aarch64
lua-debugsource-5.4.4-3.amzn2022.aarch64
src:
lua-5.4.4-3.amzn2022.src
x86_64:
lua-libs-debuginfo-5.4.4-3.amzn2022.x86_64
lua-static-5.4.4-3.amzn2022.x86_64
lua-5.4.4-3.amzn2022.x86_64
lua-devel-5.4.4-3.amzn2022.x86_64
lua-libs-5.4.4-3.amzn2022.x86_64
lua-debuginfo-5.4.4-3.amzn2022.x86_64
lua-debugsource-5.4.4-3.amzn2022.x86_64