Thank you for your concern.

I fixed CVE-2014-5461 for Lunacy back in 2021:

https://github.com/samboy/lunacy/commit/4de84e044c1219b06744...

This is discussed here:

https://samboy.github.io/MaraDNS/webpage/security.html#CVE-2...

In addition, I have done other security hardening with Lunacy compared to Lua 5.1:

https://samboy.github.io/MaraDNS/webpage/lunacy/

Now, I should probably explain why I’m using Lua 5.1 instead of the latest “official” version of Lua. Lua has an interesting history; in particular Lua 5.1 is the most popular version and the version which is most commonly used or forked against. Adobe Illustrator uses Lua 5.1, and Roblox uses a fork of Lua 5.1 called “luau”. LuaJIT is based on Lua 5.1, and other independent implementations of Lua (Moonsharp, etc.) are based on versions mostly compatible with Lua 5.1.

Lua 5.1 has a remarkably good security history, and of course I take responsibility for any security bugs in the Lua 5.1 codebase since I use the code with the relatively new coLunacyDNS server (Lua 5.1 isn’t used with the MaraDNS or Deadwood servers).

Lua 5.1 is used to convert documentation, but those scripts are run offline and the converted documents are part of the MaraDNS Git tree.

Unless the service accepts Lua code from the internet (and that would be a completely insane thing), the CVE-2014-5461 will not apply. And while I have not reviewed every Lua CVE, I bet most (all?) of then require a specifically crafted code, or at least highly-complex user input (such as arbitrary json)

It's important to look at the actual vulnerability at the context, and not just list any CVE which matches by version.