Bug 25953

Summary: memcached new security issue CVE-2019-15026
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, mageia, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: memcached-1.5.16-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-12-26 03:32:08 CET 
Fedora has issued an advisory on October 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QDBV5OGV3FJDAH4NO4JSXNRWHDGGKWYB/

The issue is fixed upstream in 1.5.17.
Comment 1 Marc Krämer 2019-12-27 13:01:56 CET 
Updated memcached packages fix security vulnerability:

memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.

This update adds the ability to recover the cache from disk. [3]

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15026
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1753862
[3] https://github.com/memcached/memcached/wiki/ReleaseNotes1518

========================

Updated packages in {core,tainted}/updates_testing:
========================
memcached-1.5.20-1.mga7
memcached-devel-1.5.20-1.mga7
memcached-debugsource-1.5.20-1.mga7
memcached-debuginfo-1.5.20-1.mga7

Source RPMs: 
memcached-1.5.20-1.mga7.src.rpm

Assignee: mageia => qa-bugs

David Walser 2019-12-27 15:13:50 CET

CC: (none) => mageia

Comment 2 Len Lawrence 2020-01-02 13:17:48 CET 
Mageia7, x86_64

Went straight to updating since no reproducer could be found for the CVE.
Clean update with core updates testing enabled, ignoring the debug repositories.

Started memcached server in a terminal then moved to another terminal to send some data.  This was a data string formerly used in bug 25267 to reproduce an issue so it is still a valid message to test the server but note that it has nothing to do with the current bug.

$ echo -n "bHJ1IG1vZGUKb7G0AGxydWRl6gdtTk9UXw==" | base64 -d | nc 127.0.0.1 11211
ERROR
^C

That was the expected return and the server kept running.
Looked at
https://github.com/memcached/memcached/wiki/ReleaseNotes1518
for some instruction on recovering the cache between restarts but found myself out of my depth - for instance, requiring a temporary ramdisk to be mounted.

Enabled tainted updates testing but could not find any packages to test.
What should we expect to find in tainted updates testing?

CC: (none) => tarazed25

Comment 3 David Walser 2020-01-02 13:28:29 CET 
That was a copy paste error.  This package is not in tainted.
Comment 4 Len Lawrence 2020-01-02 13:50:30 CET 
Thanks David - I kinda guessed it was something like that.  Sending it on.

Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-01-03 19:20:59 CET 
Validating. Advisory information in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-01-05 13:34:53 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-01-05 16:40:07 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0016.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED