Critical Photon OS Security Update - PHSA-2022-0173

Updates of 'sendmail', 'lua' packages of Photon OS have been released...

Lua buffer overflow vulnerability (CNVD-2022-31843)

Lua is a lightweight, extensible open source scripting language from the Lua LUA team. A buffer error vulnerability exists in Lua 5.4.4 and earlier, which stems from the lack of a specific luaKexp2anyregup call in singlevar in lparser.c, resulting in an overread of the heap-based buffer, which...

CVE-2022-29266

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information...

CVE-2022-29266

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information...

CVE-2022-29266

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information...

Information disclosure

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information...

CVE-2022-29266 apisix/jwt-auth may leak secrets in error response

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information...

CVE-2022-29266

Apache APISIX prior to 3.13.1 is affected by an information-disclosure issue in the jwt-auth plugin. The error message returned by the dependency lua-resty-jwt can leak the user’s secret key, enabling leakage of sensitive credentials. Affected product: Apache APISIX (jwt-auth plugin); vulnerable ...

CLSA-2022-1650377152 Fix CVE(s): CVE-2020-11724

SECURITY UPDATE: HTTP request smuggling in Lua module - debian/modules/nginx-lua: Fix parsing HTTP headers in the ngx.location.capture API porting an upstream patch 9ab38e8ee35fc08a57636b1b6190dca70b0076fa from https://github.com/openresty/lua-nginx-module - CVE-2020-11724...

Lua v5.4.3 and above are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.

...

USN-5371-1 nginx vulnerabilities

It was discovered that nginx Lua module mishandled certain inputs. An attacker could possibly use this issue to perform an HTTP Request Smuggling attack. This issue was fixed for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. CVE-2020-11724 It was discovered that nginx Lua module mishandled certain input...

CVE-2022-28805

A heap buffer-overflow vulnerability was found in Lua. The flaw occurs due to vulnerable code present in the lparser.c function of Lua that allows the execution of untrusted Lua code into a system, resulting in malicious activity...

CVE-2020-15945 affecting package lua for versions less than 5.4.3-1

CVE-2020-15945 affecting package lua for versions less than 5.4.3-1. An upgraded version of the package is available that resolves this issue...

CVE-2020-15888 affecting package lua for versions less than 5.3.5-11

CVE-2020-15888 affecting package lua for versions less than 5.3.5-11. A patched version of the package is available...

CVE-2021-43519 affecting package lua for versions less than 5.4.3-1

CVE-2021-43519 affecting package lua for versions less than 5.4.3-1. A patched version of the package is available...

CVE-2019-6706 affecting package lua for versions less than 5.3.5-11

CVE-2019-6706 affecting package lua for versions less than 5.3.5-11. A patched version of the package is available...

AZL-9333 CVE-2022-28805 affecting package lua for versions less than 5.4.3-2

singlevar in lparser.c in Lua from including 5.4.0 up to excluding 5.4.4 lacks a certain luaKexp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code...

CVE-2022-28805

singlevar in lparser.c in Lua from including 5.4.0 up to excluding 5.4.4 lacks a certain luaKexp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code...

ALPINE-CVE-2022-28805

singlevar in lparser.c in Lua from including 5.4.0 up to excluding 5.4.4 lacks a certain luaKexp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code...

CVE-2022-28805

singlevar in lparser.c in Lua from including 5.4.0 up to excluding 5.4.4 lacks a certain luaKexp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code...