[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Please add warning to download page if tarball isn't patched up with all latest security fixes
- From: Jonas Thiem <jonasthiem@...>
- Date: Thu, 21 Aug 2014 15:29:16 +0200
Sorry I forgot to add this: of course only if this wasn't already done
- right now there is no such note on the download page, but I
understand 5.2.3 doesn't have any notable bugs up to now either. But
maybe a persistant note might be a good idea so all distributors
coming around now are aware for the future, even if it's not an issue
as of now.
On Thu, Aug 21, 2014 at 3:26 PM, Jonas Thiem <jonasthiem@googlemail.com> wrote:
> Hi *,
>
> I suggest adding a warning to download page if the tarball isn't
> patched up with all latest security fixes (e.g. like #1 bug in Lua
> 5.2.2 published in April 2013 on lua.org/bugs.html, which wasn't fixed
> in the tarball up to the release of 5.2.3 in Nov 2013).
>
> I am asking because Red Hat/Fedora appeared to be totally unaware the
> tarballs aren't patched up, and in conclusion I assume other
> distributions and packagers might possibly also not be aware unless
> there is a very obvious note on the download page that this is common
> practise for Lua releases.
>
> The response to this bug in 5.2.2 which leads to a crash and possibly
> memory corruption I just got from Red Hat Security Alert was "As
> Fedora would have rebased to upstream version 5.2.2, I do not know why
> the fix is not in there." which indicates they missed how Lua doesn't
> update released tarballs.
>
> Regards,
> Jonas Thiem
