Now I have a hard time finding a patch too.
NIST references a "Patch"
https://nvd.nist.gov/vuln/detail/CVE-2020-15889 very simple one line.
I really doubt it fixes the CVE. Either NIST should be alerted, or
the commit should contain an explicit info about the CVE.
My simple question would be:
If CVE-2020-15889 affects up to including 5.4.0, then where can I find
a patch to backport to previous versions like 5.3.5 ?
If it affects Lua since 5.4.0, then has it ever been fixed ?
Please understand that I cannot leverage discussions on IRC to contradict the NIST and the security tools that are used to scan the application. I cannot either impose to the development team to upgrade.
Anyway I am thankful to all who took time to help me with my issue.