Re: Several CVEs in Lua 5.4
Hello, On Wed, 29 Jul 2020 at 11:16, Froehlich, Dominik wrote: > > Hi Lukas, > > Thanks for the reply. > My query goes along the lines of which Lua version is compatible with HAproxy > and contains fixes to those CVEs. > I could not find a specific instruction as to which Lua version can be used > to build HAproxy / has been tested for production use. Currently LUA 5.3 is supported, patches will be committed soon for LUA 5.4 support: https://github.com/haproxy/haproxy/issues/730#issuecomment-664555213 But the way to fix this is not to rush to a new major LUA release, but to backport the fixes to LUA 5.3 instead. Lukas
Re: Several CVEs in Lua 5.4
On 7/29/20 11:16 AM, Froehlich, Dominik wrote: Hi Lukas, Thanks for the reply. My query goes along the lines of which Lua version is compatible with HAproxy and contains fixes to those CVEs. I could not find a specific instruction as to which Lua version can be used to build HAproxy / has been tested for production use. We are consuming a bundled version (currently HAproxy 1.9.15 with Lua 5.3.5) but I don't know if it is safe to bump the Lua version only. I don't think HAProxy works with Lua 5.4 (yet), there should be another recent thread about it. So you are stuck at 5.3.x branch for now. Best regards, Adis
Re: Several CVEs in Lua 5.4
Hi Lukas, Thanks for the reply. My query goes along the lines of which Lua version is compatible with HAproxy and contains fixes to those CVEs. I could not find a specific instruction as to which Lua version can be used to build HAproxy / has been tested for production use. We are consuming a bundled version (currently HAproxy 1.9.15 with Lua 5.3.5) but I don't know if it is safe to bump the Lua version only. Thanks and regards, D On 29.07.20, 11:06, "Lukas Tribus" wrote: Hello, On Wed, 29 Jul 2020 at 10:23, Froehlich, Dominik wrote: > > Hello everyone, > > Not sure if this is already addressed. Today I got a CVE report of several issues with Lua 5.3.5 up to 5.4. > > I believe Lua 5.4 is currently recommended to build with HAproxy 2.x? > > Before I open an issue on github I would like to ask if these are already known / addressed: I don't understand, specifically what are you asking us to do here? It's not like we ship LUA ... Lukas
Re: Several CVEs in Lua 5.4
Hello, On Wed, 29 Jul 2020 at 10:23, Froehlich, Dominik wrote: > > Hello everyone, > > Not sure if this is already addressed. Today I got a CVE report of several > issues with Lua 5.3.5 up to 5.4. > > I believe Lua 5.4 is currently recommended to build with HAproxy 2.x? > > Before I open an issue on github I would like to ask if these are already > known / addressed: I don't understand, specifically what are you asking us to do here? It's not like we ship LUA ... Lukas
Several CVEs in Lua 5.4
Hello everyone, Not sure if this is already addressed. Today I got a CVE report of several issues with Lua 5.3.5 up to 5.4. I believe Lua 5.4 is currently recommended to build with HAproxy 2.x? Before I open an issue on github I would like to ask if these are already known / addressed: Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. https://nvd.nist.gov/vuln/detail/CVE-2019-6706 Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection. https://nvd.nist.gov/vuln/detail/CVE-2020-15888 Lua through 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members. https://nvd.nist.gov/vuln/detail/CVE-2020-15889 Best regards, D