[luatex] Security: Lua update and rebuild required

Henri Menke henrimenke at gmail.com
Thu Aug 6 10:08:51 CEST 2020

Dear lists, (luatex and tlbuild)

I don't actually know how these things are handled in TeX Live but
recently several CVEs for Lua (all versions up to 5.4.0) have been


Since users of LuaTeX are running potentially untrusted code and all of
these vulnerabilities are rated with severity high or critical, I
believe it is necessary to rebuild all affected LuaTeX version, ideally
including those in frozen TeX Live releases.  This is particularly
important because there already exist exploits for all of these
vulnerabilites (link to the Lua mailing list threads are in CVEs).

Kind regards,

More information about the luatex mailing list.