lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

My simple question would be:
If CVE-2020-15889 affects up to including 5.4.0, then where can I find
a patch to backport to previous versions like 5.3.5 ?
If  it affects Lua since 5.4.0, then has it ever been fixed ?


On Fri, Dec 11, 2020 at 2:00 PM Bruno Vernay <> wrote:
> Hi
> Here it read that versions up to 5.4 are affected
> which is plain wrong, misleading and
> should be corrected.
> Here that versions from 5.4 are affected
> which is right I
> guess.
> Now I have a hard time finding a patch too.
> NIST references a "Patch"
> very simple one line.
> I really doubt it fixes the CVE.  Either NIST should be alerted, or
> the commit should contain an explicit info about the CVE.
> On IRC, I have been referred to ""it's bug #6 on here:
> "
> and that the correct commit would be " correct commit:
> But there is no reference to the CVE in any of the commits.
> It would help to clarify the situation with NIST, VulDB and reference
> the CVE in the commits (I understand there are no pull -request) or
> create an explicit patch like this
> Thanks