Control: tag -1 upstream On Fri, Jul 30, 2021 at 02:35:58PM +0400, Movses Tovmasyan wrote: > grub2 uses the obsolete version of minilua > (single-file port of Lua) which has CVE-2014-5461 > Patch attached below.
The upstream repository for this is https://git.savannah.gnu.org/cgit/grub-extras.git, and this doesn't seem to be fixed there. Could you please send a patch to grub-de...@gnu.org for review (as a proper textual git patch, not a screenshot of a patch)? We can then cherry-pick it from there. I've merged the various bugs that you filed against different versions and binary packages of the Debian grub2 source package. We only need one bug report for this. Thanks, -- Colin Watson (he/him) [cjwat...@debian.org]