#1119119 memcached builds a vendor copy of lua

#1119119#5
Date:
2025-10-10 06:47:22 UTC
From:
To:
Hi,

while looking into a cross build failure of memcached, I noticed that
memcached started building a vendor copy of lua in 1.6.32-2. This is
problematic, because Debian already maintains several versions of lua
and issues security updates for them. As an example, I checked
CVE-2021-43519 and you can easily see that memcached's vendor copy is
vulnerable by looking up the upstream commit[1] from the associated
Debian bug[2]. While this specific vulnerability may not warrant serious
severity, chances are high that it is affected by more and more severe
ones.

I recommend taking action in one of two ways:

A. Use a system version of lua.

B. Keep vendoring lua.
   * Fix all known vulnerabilities.
   * Register the embedding with Debian's security-tracker.

If choosing the latter route, I'll have to supply further changes to
accommodate cross building (which used to work until the vendor copy was
built).

I also suggest downgrading the severity of this bug report once all
known vulnerabilities have been assessed for their impact on memcached.

Helmut

[1] https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000228

#1119119#10
Date:
2025-10-27 21:26:05 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1119119@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 27 Oct 2025 12:14:56 -0700
Source: memcached
Architecture: source
Version: 1.6.39-2
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 1119119
Changes:
 memcached (1.6.39-2) unstable; urgency=medium
 .
   * Don't use the embedded Lua version. (Closes: #1119119)
   * Drop Rules-Requires-Root: no in debian/control.
   * Drop binary dependency on lsb-base.
Checksums-Sha1:
 6b69d0a62794378ff92d82ad79aae97ef4d8b28c 2025 memcached_1.6.39-2.dsc
 6cd8586f2b4fcc6c8db51fe0825580b0b17b18d7 926524 memcached_1.6.39.orig.tar.xz
 0ede529918f265e6f5cba168a5a79d2c5c23d832 17752 memcached_1.6.39-2.debian.tar.xz
 78d62c7ad83eebb4b134369a74d879161d602e74 4696 memcached_1.6.39-2_source.buildinfo
Checksums-Sha256:
 f9d0baba78b3fada6f02a800b423d92a143bdf691fad753735f4e1a5fde9a0e8 2025 memcached_1.6.39-2.dsc
 dfe8484aee9df5d451da15df3426746be2468124e01cd91f831b5199a9ec897b 926524 memcached_1.6.39.orig.tar.xz
 438de1f793de9b371e188d57d0ccbc81f205cb587bbf0838a33b49590893ddd8 17752 memcached_1.6.39-2.debian.tar.xz
 71be02543a7157086b18035a483bad062dc4baf41e5297f34242d37180aa5223 4696 memcached_1.6.39-2_source.buildinfo
Files:
 886d142f08cec8c8fca8c53b4a52fe45 2025 web optional memcached_1.6.39-2.dsc
 63752e18ee27258836c112d85de52b9c 926524 web optional memcached_1.6.39.orig.tar.xz
 93c3f84cd57533a6e88cf2ebe392e8a8 17752 web optional memcached_1.6.39-2.debian.tar.xz
 f5ba3ddc31e995a1af0941960d6ecc5c 4696 web optional memcached_1.6.39-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmj/20sACgkQHpU+J9Qx
Hljjzg//TvebpzPYEqWsRjzSbM8tKtAy5wo2Y5WNzPfEmGwMfN4W0mi6b8QWEjEy
/eZzGA2tVJLnw/hFdBe2l6IAnKcdGulVIomtGC1NkT15obB0bkz4NbcFOXmsPwsl
9VR/RFUjCsI2j3sTJRY8Wvjegs2veuI4GtsoALYpgg/nMAvgf5qKtF5S4ycjn7sK
d7ZBEThchoXbq4HL8XCHdwk9WvtRS+KKGvZf5s/uLXdGkmLyAoE+4oeLdG22Tsta
8by0dcpD2bGhcFBR3Y8H8B2/dAOaM7iK2nfliE8m3At8/7lb2pkdfzZfPqstUc+Y
7tk9+/HA2SpRpEFZI1u5BWX8CcPrnQVgv90BPgNXxJk6bzZqPYcs+f/0aRvrn31F
Y6Id3e7TqEXeTVCJhnAiB1J83wt5UA1r39YAAWpgVz8m/Q+8JolYXhkoTfxMyYJr
U/Nl/oNqgbN14yXFYkW/1EL54tjCiQcDTnEA2T72j2XUYG4wuJvV+VUuxHkuwRDV
mc2ORC+Vp4g+oqdUTuXTbPCva2QBDufLI0LYDkVmMRACCJW/bOnNjzy4wEq9DG23
yVqLDq5rDpPR+xPA75SsEgEjW80glU1QGbc2oVuzP14q6fWHo4sy9pDell/lw/yw
7aZvRbl/BaiEkMS9rlQDbHSab+d4/SelyLudccs2vZDSZrzynLg=
=oKH0
-----END PGP SIGNATURE-----