Debian dla-4283 : libluajit-5.1-2 - security update

critical Nessus Plugin ID 255190

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4283 advisory.

------------------------------------------------------------------------- Debian LTS Advisory DLA-4283-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin August 25, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : luajit Version : 2.1.0~beta3+dfsg-5.3+deb11u1 CVE ID : CVE-2019-19391 CVE-2020-15890 CVE-2020-24372 CVE-2024-25176 CVE-2024-25177 CVE-2024-25178 Debian Bug : 946053 966148

Multiple vulnerabilities were found in luajit, a just in time compiler for the Lua programming language, which could lead to denial of service.

CVE-2019-19391

It was discovered that debug.getinfo() has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and `>` options are mishandled.

NOTE: The LuaJIT project owner disputes the vulnerability and states that the debug library is unsafe by design.

CVE-2020-15890

Yongheng Chen discovered an out-of-bounds read because `__gc` handler frame traversal is mishandled.

CVE-2020-24372

Yongheng Chen discovered out-of-bounds read in lj_err_run().

CVE-2024-25176

Kutyavin Maxim discovered a stack-buffer-overflow in lj_strfmt_wfnum().

CVE-2024-25177

Kutyavin Maxim discovered an unsinking of IR_FSTORE for NULL metatable.

CVE-2024-25178

Kutyavin Maxim discovered an out-of-bounds read in the stack-overflow handler.

For Debian 11 bullseye, these problems have been fixed in version 2.1.0~beta3+dfsg-5.3+deb11u1.

We recommend that you upgrade your luajit packages.

For the detailed security status of luajit please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/luajit

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libluajit-5.1-2 packages.

Plugin Details

Severity: Critical

ID: 255190

File Name: debian_DLA-4283.nasl

Version: 1.1

Type: local

Agent: unix

Family: Debian Local Security Checks

Published: 8/25/2025

Updated: 8/25/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2019-19391

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:libluajit-5.1-dev, p-cpe:/a:debian:debian_linux:luajit, p-cpe:/a:debian:debian_linux:libluajit-5.1-2, p-cpe:/a:debian:debian_linux:libluajit-5.1-common

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/25/2025

Vulnerability Publication Date: 11/29/2019

Reference Information

CVE: CVE-2019-19391, CVE-2020-15890, CVE-2020-24372, CVE-2024-25176, CVE-2024-25177, CVE-2024-25178

Detections

Analytics