A CVE has been allocated for an issue fixed in memcached 1.4.17: http://openwall.com/lists/oss-security/2013/12/30/11 The upstream patch is linked in the first message in that thread. I've checked it into SVN for Mageia 3 and Cauldron and requested a freeze push for Cauldron. Reproducible: Steps to Reproduce:
Blocks: (none) => 11726Whiteboard: (none) => MGA3TOO
Debian has issued an advisory for this on January 1: http://www.debian.org/security/2014/dsa-2832 Their update also fixed CVE-2013-0179, which sounds like a very minor issue according to the RedHat bug description. There's also more info on the debian bug about this. It'd be nice to fix it, but issuing another security update for that issue sounds unnecessary. https://bugzilla.redhat.com/show_bug.cgi?id=895054â http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698231
URL: (none) => http://lwn.net/Vulnerabilities/578594/
Patched packages (for CVE-2013-7239) uploaded for Mageia 3 and Cauldron. Advisory: ======================== Updated memcached packages fix security vulnerability: It was reported that SASL authentication could be bypassed due to a flaw related to the managment of the SASL authentication state. With a specially crafted request, a remote attacker may be able to authenticate with invalid SASL credentials (CVE-2013-7239). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7239 http://www.debian.org/security/2014/dsa-2832 ======================== Updated packages in core/updates_testing: ======================== memcached-1.4.15-1.1.mga3 memcached-devel-1.4.15-1.1.mga3 from memcached-1.4.15-1.1.mga3.src.rpm
Version: Cauldron => 3Blocks: 11726 => (none)Assignee: bugsquad => qa-bugsWhiteboard: MGA3TOO => (none)
====================================================== Name: CVE-2013-0179 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0179 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20121206 Category: Reference: MLIST:[oss-security] 20130114 CVE request: memcached DoS when printing out keys to be deleted in verbose mode Reference: URL:http://www.openwall.com/lists/oss-security/2013/01/14/4 Reference: MLIST:[oss-security] 20130114 Re: CVE request: memcached DoS when printing out keys to be deleted in verbose mode Reference: URL:http://www.openwall.com/lists/oss-security/2013/01/14/6 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=895054 Reference: CONFIRM:https://code.google.com/p/memcached/issues/attachmentText?id=306&aid=3060004000&name=0001-Fix-buffer-overrun-when-logging-key-to-delete-in-bin.patch&token=3GEzHThBL5cxmUrsYANkW03RrNY%3A1358179503096 Reference: CONFIRM:https://code.google.com/p/memcached/issues/detail?id=306 Reference: CONFIRM:https://code.google.com/p/memcached/wiki/ReleaseNotes1417 Reference: SECUNIA:56183 Reference: URL:http://secunia.com/advisories/56183 The process_bin_delete function in memcached.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr. ====================================================== Name: CVE-2013-7239 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7239 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131230 Category: Reference: MLIST:[oss-security] 20131230 Re: CVE Request: SASL authentication allows wrong credentials to access memcache Reference: URL:http://seclists.org/oss-sec/2013/q4/572 Reference: CONFIRM:https://code.google.com/p/memcached/wiki/ReleaseNotes1417 Reference: DEBIAN:DSA-2832 Reference: URL:http://www.debian.org/security/2014/dsa-2832 Reference: SECUNIA:56183 Reference: URL:http://secunia.com/advisories/56183 memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials. ====================================================== Name: CVE-2013-7290 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7290 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20140110 Category: Reference: CONFIRM:https://code.google.com/p/memcached/issues/detail?id=306 Reference: CONFIRM:https://code.google.com/p/memcached/wiki/ReleaseNotes1417 The do_item_get function in items.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr, a different vulnerability than CVE-2013-0179. ====================================================== Name: CVE-2013-7291 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7291 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20140110 Category: Reference: CONFIRM:https://code.google.com/p/memcached/issues/detail?id=306 Reference: CONFIRM:https://code.google.com/p/memcached/wiki/ReleaseNotes1417 memcached before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (crash) via a request that triggers an "unbounded key print" during logging, related to an issue that was "quickly grepped out of the source tree," a different vulnerability than CVE-2013-0179 and CVE-2013-7290.
CC: (none) => oeSummary: memcached new security issue CVE-2013-7239 => memcached new security issues CVE-2013-0179, CVE-2013-7239, CVE-2013-7290, CVE-2013-7291
fixed with memcached-1.4.17-1.mga3 and memcached-1.4.17-1.mga4. someone should submit memcached-1.4.17 in cauldron.
Updated memcached pushed in Cauldron. Advisory: ======================== Updated memcached packages fix security vulnerability: It was reported that SASL authentication could be bypassed due to a flaw related to the managment of the SASL authentication state. With a specially crafted request, a remote attacker may be able to authenticate with invalid SASL credentials (CVE-2013-7239). Multiple issues in memcached before 1.4.17 which allow remote attackers to cause a denial of service by sending a request that causes a crash when memcached is running in verbose mode (CVE-2013-0179, CVE-2013-7290, CVE-2013-7291). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7239 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7290 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7291 http://www.debian.org/security/2014/dsa-2832 ======================== Updated packages in core/updates_testing: ======================== memcached-1.4.17-1.mga3 memcached-devel-1.4.17-1.mga3 from memcached-1.4.17-1.mga3.src.rpm
LWN reference for CVE-2013-729[01]: http://lwn.net/Vulnerabilities/581001/
For regression testing, there's a test suite (make test) that is run during build, so low risk of regression.
CC: (none) => stormi
Very simple test: # urpmi php-cli php-memcached # systemctl start memcached@11211.service As a user, create test.php: $ cat test.php #!/bin/php <?php $m = new Memcached(); $m->addServer('127.0.0.1', 11211); $m->set('test', 'my test data : SUCCESS'); echo $m->get('test') . "\n"; $ php test.php my test data : SUCCESS => shows memcached server working. Ok on i586.
Whiteboard: (none) => has_procedure MGA3-32-OK
Testing complete mga3 64 Advisory uploaded. Validating. Could sysadmin please push from 3 core/updates_testing to updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA3-32-OK => has_procedure advisory MGA3-32-OK mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0018.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED