Hi Hilmar! On Sun, May 21, 2023 at 09:54:30PM +0200, Preuße, Hilmar wrote: > On 21.05.2023 21:06, Salvatore Bonaccorso wrote: > > Hello Salvatore, > > > The following vulnerability was published for texlive-bin. > > > > CVE-2023-32668[0]: > > | LuaTeX before 1.17.0 allows a document (compiled with the default > > | settings) to make arbitrary network requests. This occurs because full > > | access to the socket library is permitted by default, as stated in the > > | documentation. This also affects TeX Live before 2023 r66984 and > > | MiKTeX before 23.5. > > > > I updated to luatex 1.17.0 already in the TeX Live binaries for TL 2023 in > commit 5348a805847c038d92c80a9b208da48dc527decd, the needed adaptions for > Context were made, but all that needs to be tested. > > Is that sufficient or do we need to fix all this in bookworm / bullseye too?
Correct, I think this is the correct way to address it for trixie. For bookworm and bullseye, the impact is low enough that we can either think of including the fix in a point release or ignore it. When looking at it it was unclear to me apart ConTeXt, if any other reverse depndencies might be impacted. According to https://tug.org/~mseven/luatex.html#luasocket at least ConTeXt might need change for the default change behviour with the new flag. Thanks for taking care of this. Regards, Salvatore

