CVE-2020-15945: imprecise package information

[xnox]

Description

https://images.chainguard.dev/security/CVE-2020-15945

Expand references, and navigate to debian tracker at https://security-tracker.debian.org/tracker/CVE-2020-15945

lua5.3 is not-affected, as the bug is specific to 5.4.0

Thus status should be package lua5.4 not affected, code not present as Wolfi has never shipped v5.4.0

[xnox]

Lol impressive => imprecise

[eslerm]

Agreed: lua/lua@a219564#commitcomment-150387752

[eslerm]

In a conversation with MITRE and the upstream author, Roberto confirmed that the affected range of CVE-2020-15945 is since 5.4.0 and until 5.4.1 and referenced this bug/range as: https://www.lua.org/bugs.html#5.4.0-8

The MITRE CNA updated their CVE: https://github.com/CVEProject/cvelistV5/blame/21ba742890907c4ebbf76ed45c9c1f4d8832d73d/cves/2020/15xxx/CVE-2020-15945.json#L19 \o/

Many thanks Roberto and MITRE.

As the underlying CVE metadata in no longer incorrect, this should no longer be an issue. CVE scanners may be slow to update.