ALAS-2014-402

Amazon Linux 1 Security Advisory: ALAS-2014-402
Advisory Release Date: 2014-09-17 21:44 Pacific
Advisory Updated Date: 2014-09-19 12:01 Pacific

Severity: Medium

References: CVE-2014-5461
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.

Affected Packages:

lua

Issue Correction:
Run yum update lua to update your system.

New Packages:

i686:
    lua-5.1.4-4.1.9.amzn1.i686
    lua-devel-5.1.4-4.1.9.amzn1.i686
    lua-debuginfo-5.1.4-4.1.9.amzn1.i686
    lua-static-5.1.4-4.1.9.amzn1.i686

src:
    lua-5.1.4-4.1.9.amzn1.src

x86_64:
    lua-devel-5.1.4-4.1.9.amzn1.x86_64
    lua-debuginfo-5.1.4-4.1.9.amzn1.x86_64
    lua-static-5.1.4-4.1.9.amzn1.x86_64
    lua-5.1.4-4.1.9.amzn1.x86_64

Additional References

Red Hat: CVE-2014-5461

Mitre: CVE-2014-5461