Hello everyone, Not sure if this is already addressed. Today I got a CVE report of several issues with Lua 5.3.5 up to 5.4. I believe Lua 5.4 is currently recommended to build with HAproxy 2.x?
Before I open an issue on github I would like to ask if these are already known / addressed: Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. https://nvd.nist.gov/vuln/detail/CVE-2019-6706 Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection. https://nvd.nist.gov/vuln/detail/CVE-2020-15888 Lua through 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members. https://nvd.nist.gov/vuln/detail/CVE-2020-15889 Best regards, D