[luatex] Security: Lua update and rebuild required
Henri Menke
henrimenke at gmail.com
Thu Aug 6 10:08:51 CEST 2020
Dear lists, (luatex and tlbuild)
I don't actually know how these things are handled in TeX Live but
recently several CVEs for Lua (all versions up to 5.4.0) have been
published:
https://nvd.nist.gov/vuln/detail/CVE-2020-15888
https://nvd.nist.gov/vuln/detail/CVE-2020-15889
https://nvd.nist.gov/vuln/detail/CVE-2020-15945
Since users of LuaTeX are running potentially untrusted code and all of
these vulnerabilities are rated with severity high or critical, I
believe it is necessary to rebuild all affected LuaTeX version, ideally
including those in frozen TeX Live releases. This is particularly
important because there already exist exploits for all of these
vulnerabilites (link to the Lua mailing list threads are in CVEs).
Kind regards,
Henri
More information about the luatex
mailing list.