Dear lists, (luatex and tlbuild) I don't actually know how these things are handled in TeX Live but recently several CVEs for Lua (all versions up to 5.4.0) have been published:
https://nvd.nist.gov/vuln/detail/CVE-2020-15888 https://nvd.nist.gov/vuln/detail/CVE-2020-15889 https://nvd.nist.gov/vuln/detail/CVE-2020-15945 Since users of LuaTeX are running potentially untrusted code and all of these vulnerabilities are rated with severity high or critical, I believe it is necessary to rebuild all affected LuaTeX version, ideally including those in frozen TeX Live releases. This is particularly important because there already exist exploits for all of these vulnerabilites (link to the Lua mailing list threads are in CVEs). Kind regards, Henri
