{ "schema_version": "1.7.0", "id": "MGASA-2026-0225", "published": "2026-06-18T21:28:22Z", "modified": "2026-06-18T20:36:23Z", "summary": "Updated luajit packages fix security vulnerabilities", "details": "In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other\nproducts, debug.getinfo has a type confusion issue that leads to\narbitrary memory write or read operations, because certain cases\ninvolving valid stack levels and > options are mishandled.\n(CVE-2019-19391)\nLuaJIT through 2.1.0-beta3 has an out-of-bounds read in lj_err_run in\nlj_err.c. (CVE-2020-24372)\nLuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240626 have a\nstack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c.\n(CVE-2024-25176)\nLuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an\nunsinking of IR_FSTORE for NULL metatable, which leads to Denial of\nService (DoS). (CVE-2024-25177)\nLuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an\nout-of-bounds read in the stack-overflow handler in lj_state.c.\n(CVE-2024-25178)\n", "upstream": [ "CVE-2019-19391", "CVE-2020-24372", "CVE-2024-25176", "CVE-2024-25177", "CVE-2024-25178" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2026-0225.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=34491" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XU3NWLH45W4F7OBKEB4XEOJQI4S36PU5/" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00022.html" } ], "affected": [ { "package": { "ecosystem": "Mageia:9", "name": "luajit", "purl": "pkg:rpm/mageia/luajit?arch=source&distro=mageia-9" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.1.0-0.beta3.10.1.mga9" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }