Thanks for the clear statement.
Please understand that I cannot leverage discussions on IRC to contradict the NIST and the security tools that are used to scan the application. I cannot either impose to the development team to upgrade.
Anyway I am thankful to all who took time to help me with my issue.
>>>>> "Bruno" == Bruno Vernay <firstname.lastname@example.org> writes:
Bruno> My simple question would be:
Bruno> If CVE-2020-15889 affects up to including 5.4.0, then where can
Bruno> I find a patch to backport to previous versions like 5.3.5 ?
As we told you repeatedly on IRC, the bug only affects 5.4.0. No other
version is affected. No backport is therefore required.
Note that the description in the CVE appears to be conflating two
different bugs, one described at https://www.lua.org/bugs.html#5.4.0-6
and the other at http://lua-users.org/lists/lua-l/2020-07/msg00071.html
(both are fixed in 5.4.1)