Your message dated Mon, 27 Oct 2025 21:26:05 +0000
with message-id <[email protected]>
and subject line Bug#1119119: fixed in memcached 1.6.39-2
has caused the Debian Bug report #1119119,
regarding memcached builds a vendor copy of lua
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1119119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1119119
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: memcached
Version: 1.6.32-2
Severity: serious
Justification: vendor copy of vulnerable software
Tags: security
Hi,
while looking into a cross build failure of memcached, I noticed that
memcached started building a vendor copy of lua in 1.6.32-2. This is
problematic, because Debian already maintains several versions of lua
and issues security updates for them. As an example, I checked
CVE-2021-43519 and you can easily see that memcached's vendor copy is
vulnerable by looking up the upstream commit[1] from the associated
Debian bug[2]. While this specific vulnerability may not warrant serious
severity, chances are high that it is affected by more and more severe
ones.
I recommend taking action in one of two ways:
A. Use a system version of lua.
B. Keep vendoring lua.
* Fix all known vulnerabilities.
* Register the embedding with Debian's security-tracker.
If choosing the latter route, I'll have to supply further changes to
accommodate cross building (which used to work until the vendor copy was
built).
I also suggest downgrading the severity of this bug report once all
known vulnerabilities have been assessed for their impact on memcached.
Helmut
[1] https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000228
--- End Message ---
--- Begin Message ---
Source: memcached
Source-Version: 1.6.39-2
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated memcached package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 27 Oct 2025 12:14:56 -0700
Source: memcached
Architecture: source
Version: 1.6.39-2
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1119119
Changes:
memcached (1.6.39-2) unstable; urgency=medium
.
* Don't use the embedded Lua version. (Closes: #1119119)
* Drop Rules-Requires-Root: no in debian/control.
* Drop binary dependency on lsb-base.
Checksums-Sha1:
6b69d0a62794378ff92d82ad79aae97ef4d8b28c 2025 memcached_1.6.39-2.dsc
6cd8586f2b4fcc6c8db51fe0825580b0b17b18d7 926524 memcached_1.6.39.orig.tar.xz
0ede529918f265e6f5cba168a5a79d2c5c23d832 17752 memcached_1.6.39-2.debian.tar.xz
78d62c7ad83eebb4b134369a74d879161d602e74 4696
memcached_1.6.39-2_source.buildinfo
Checksums-Sha256:
f9d0baba78b3fada6f02a800b423d92a143bdf691fad753735f4e1a5fde9a0e8 2025
memcached_1.6.39-2.dsc
dfe8484aee9df5d451da15df3426746be2468124e01cd91f831b5199a9ec897b 926524
memcached_1.6.39.orig.tar.xz
438de1f793de9b371e188d57d0ccbc81f205cb587bbf0838a33b49590893ddd8 17752
memcached_1.6.39-2.debian.tar.xz
71be02543a7157086b18035a483bad062dc4baf41e5297f34242d37180aa5223 4696
memcached_1.6.39-2_source.buildinfo
Files:
886d142f08cec8c8fca8c53b4a52fe45 2025 web optional memcached_1.6.39-2.dsc
63752e18ee27258836c112d85de52b9c 926524 web optional
memcached_1.6.39.orig.tar.xz
93c3f84cd57533a6e88cf2ebe392e8a8 17752 web optional
memcached_1.6.39-2.debian.tar.xz
f5ba3ddc31e995a1af0941960d6ecc5c 4696 web optional
memcached_1.6.39-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmj/20sACgkQHpU+J9Qx
Hljjzg//TvebpzPYEqWsRjzSbM8tKtAy5wo2Y5WNzPfEmGwMfN4W0mi6b8QWEjEy
/eZzGA2tVJLnw/hFdBe2l6IAnKcdGulVIomtGC1NkT15obB0bkz4NbcFOXmsPwsl
9VR/RFUjCsI2j3sTJRY8Wvjegs2veuI4GtsoALYpgg/nMAvgf5qKtF5S4ycjn7sK
d7ZBEThchoXbq4HL8XCHdwk9WvtRS+KKGvZf5s/uLXdGkmLyAoE+4oeLdG22Tsta
8by0dcpD2bGhcFBR3Y8H8B2/dAOaM7iK2nfliE8m3At8/7lb2pkdfzZfPqstUc+Y
7tk9+/HA2SpRpEFZI1u5BWX8CcPrnQVgv90BPgNXxJk6bzZqPYcs+f/0aRvrn31F
Y6Id3e7TqEXeTVCJhnAiB1J83wt5UA1r39YAAWpgVz8m/Q+8JolYXhkoTfxMyYJr
U/Nl/oNqgbN14yXFYkW/1EL54tjCiQcDTnEA2T72j2XUYG4wuJvV+VUuxHkuwRDV
mc2ORC+Vp4g+oqdUTuXTbPCva2QBDufLI0LYDkVmMRACCJW/bOnNjzy4wEq9DG23
yVqLDq5rDpPR+xPA75SsEgEjW80glU1QGbc2oVuzP14q6fWHo4sy9pDell/lw/yw
7aZvRbl/BaiEkMS9rlQDbHSab+d4/SelyLudccs2vZDSZrzynLg=
=oKH0
-----END PGP SIGNATURE-----
pgpU3r9K3l7Qc.pgp
Description: PGP signature
--- End Message ---
