Source: memcached Version: 1.6.32-2 Severity: serious Justification: vendor copy of vulnerable software Tags: security
Hi, while looking into a cross build failure of memcached, I noticed that memcached started building a vendor copy of lua in 1.6.32-2. This is problematic, because Debian already maintains several versions of lua and issues security updates for them. As an example, I checked CVE-2021-43519 and you can easily see that memcached's vendor copy is vulnerable by looking up the upstream commit[1] from the associated Debian bug[2]. While this specific vulnerability may not warrant serious severity, chances are high that it is affected by more and more severe ones. I recommend taking action in one of two ways: A. Use a system version of lua. B. Keep vendoring lua. * Fix all known vulnerabilities. * Register the embedding with Debian's security-tracker. If choosing the latter route, I'll have to supply further changes to accommodate cross building (which used to work until the vendor copy was built). I also suggest downgrading the severity of this bug report once all known vulnerabilities have been assessed for their impact on memcached. Helmut [1] https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000228
