LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame traversal is mishandled. References https://github.com/LuaJIT/LuaJIT/issues/601
Created luajit tracking bugs for this issue: Affects: epel-all [bug 1860331] Affects: fedora-all [bug 1860330]
Created luajit tracking bugs for this issue: Affects: openstack-rdo [bug 1861551]
Upstream fix: https://github.com/LuaJIT/LuaJIT/commit/53f82e6e2e858a0a62fd1a2ff47e9866693382e6
Statement: OpenShift ServiceMesh proxy does package a vulnerable version of luajit. The segmentation fault is triggered via creating a inline code rule in the envoy filter, however envoy can also be caused to exit via a code rule which is also not syntactically correct either. A user who has permissions to change the filter rule can have the same affect regardless, hence this issue will not be addressed at this time and might be fixed in a future release.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15890