[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Lua [in]security and the distributors
- From: Jonas Thiem <jonasthiem@...>
- Date: Tue, 26 Aug 2014 16:06:22 +0200
Hi *,
the Lua crash exploit published since April 2013 is unfixed in:
* Debian stable
* Fedora
* OpenSuse
* Ubuntu 12 LTS (still supported)
.. or in other words, every distribution I checked so far. On the IRC
channel people told me that Lua use for sandboxing is very common, so
this seems to be a notable problem.
So, another crazy idea: what about you make front page announcements
for discovered exploits? A bit like the big red boxes libpng uses:
http://www.libpng.org/pub/png/libpng.html
Or maybe the conclusion is just that distributions don't give a sh**
about a secure Lua. Which raises another question: maybe Lua should
release an up-to-date tarball after each discovered bug to make it
easier for people to compile a secure, up-to-date Lua themselves? Last
time I got the response "don't worry about that" which kind of
suggested to let distributors take care of an up-to-date Lua, but
apparently that's not happening.
I am just throwing ideas in the room, maybe none of them are worth
pursueing - but I guess this situation is worth talking about.
Regards,
Jonas Thiem