Lua 5.2.2 has various security issues, amongst them this one (from lua.orgs/bugs):

function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10,
           p11, p12, p13, p14, p15, p16, p17, p18, p19, p20,
           p21, p22, p23, p24, p25, p26, p27, p28, p29, p30,
           p31, p32, p33, p34, p35, p36, p37, p38, p39, p40,
           p41, p42, p43, p44, p45, p46, p48, p49, p50, ...)
  local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14
end

f()   -- crashes on some machines

An update would be very desirable, especially considering this is unfixed in Fedora since almost a year(!) now.

A more general inquiry: is there a security update plan for Fedora regarding Lua bugs? (unrelated to regular Lua releases which are often issued only months after the bugs and their patches have been made public)

Waiting a year for the fix for publicly known interpreter crashes that produce an endless stream of GLIBC memory corruption warnings (sounds like possible code injection or other worse things might be possible?) seems quite undesirable.

(I forgot to mention this, the code above indeed crashes in Fedora's current Lua - and this bug has been known since April 2013 according to the Lua page, along with a bugfix/patch.)

Latest upstream release: 5.3.0
Current version/release in Fedora Rawhide: 5.2.3-1.fc22
URL: http://www.lua.org/ftp/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy


More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring Soon this service will be implemented by a new system: https://release-monitoring.org/
It will require to manage monitored projects via a new web interface. Please make yourself familiar with the new system to ease the transition.

till's lua-5.3.0-2.fc23 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=613727

kalev's lua-5.3.0-3.fc23 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=621958

It has been almost a year now. If you forgot, this was originally labelled a security issue (CVE-2014-5461). Debian has fixed it in 2-3 days after I sent them an email about it, Ubuntu after a week.

Considering it's still not fixed in Fedora 21 (which hasn't reached End of Life, has it?), I'm very compelled to move on to some other distribution which takes security more seriously than just assigning a CVE number.

I know you fixed stuff like openssl's heartbleed pretty quick and of course this has less impact, but as a lua programmer this *is* impacting me, and especially compared to the other distributions I contacted about it (which all fixed it after a few DAYS) your reaction is somewhat disappointing.

Latest upstream release: 5.3.1
Current version/release in rawhide: 5.3.0-3.fc23
URL: http://www.lua.org/ftp/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring

Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.

Created attachment 1039928 [details]
[patch] Update to 5.3.1 (#1039249)

Latest upstream release: 5.3.2
Current version/release in rawhide: 5.3.0-4.fc23
URL: http://www.lua.org/ftp/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring

Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.

Failed to kick off scratch build.

spectool was unable to grab new sources

old source: lua-5.2.3.tar.gz
old sha256: 13c2fb97961381f7d06d5b5cea55b743c163800896fd5c5e2356201d3619002d

new source: ./lua-5.2.3.tar.gz
new sha256: 13c2fb97961381f7d06d5b5cea55b743c163800896fd5c5e2356201d3619002d

fenris02's lua-5.3.2-1.fc24 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=704758

spot's lua-5.3.2-2.fc24 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=704933

lua-5.3.2-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-d68f8a1cba

lua-5.3.2-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-5edf8033b3

lua-5.3.2-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update lua'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-d68f8a1cba

lua-5.3.2-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update lua'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-5edf8033b3

lua-5.3.2-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

lua-5.3.2-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.