Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 496506 (CVE-2013-7239) - <net-misc/memcached-1.4.17: SASL authentication allows wrong credentials to access memcache (CVE-2013-7239)
Summary: <net-misc/memcached-1.4.17: SASL authentication allows wrong credentials to a...
Status: RESOLVED FIXED
Alias: CVE-2013-7239
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-30 16:44 UTC by Samuel Damashek (RETIRED)
Modified: 2014-06-19 11:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Samuel Damashek (RETIRED) gentoo-dev 2013-12-30 16:44:52 UTC
From ${URL} :

From upstream release notes for 1.4.17 it states "The other notable
bug is a SASL authentication bypass glitch. If a client makes an
invalid request with SASL credentials, it will initially fail. However
if you issue a second request with bad SASL credentials, it will
authenticate. This has now been fixed.".


Release notes:
https://code.google.com/p/memcached/wiki/ReleaseNotes1417

Relative issue:
https://code.google.com/p/memcached/issues/detail?id=316

Commit fixing issue:
https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2013-12-31 05:18:33 UTC
Thank you for the report Samuel

upstream fix in version 1.4.17 also 1.4.17 available in tree.

Maintainer(s) please advise when ready for stabilization.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-14 20:25:37 UTC
Just need to remove the old versions?
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-01-14 22:33:06 UTC
Current stable version is: 1.4.13-r1

This version is vulnerable as all versions are < 1.4.17.  1.4.17 is in a tree but is not stable at this time. It needs to be stabilized and then 1.4.* removed as part of cleanup.

My question is are we ready to stabilize 1.4.17 as we can call for stabilization if the maintainers think that they are ready for it.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-15 18:06:07 UTC
Is that all ebuilds less then 1.4.17 or just all less then 1.4.17 in the 1.4.x branch?
Comment 5 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-15 19:13:39 UTC
arches, please stablize =net-misc/memcached-1.4.17
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-01-15 19:24:22 UTC
SASL support in memcached was introduced in 1.4.3 (if I am correct) so that means the 1.4.x tree is vulnerable and not the previous versions.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-16 15:12:43 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2014-01-16 20:16:04 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-01-16 20:17:50 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-17 20:43:30 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-01-17 20:47:14 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-01-18 20:16:08 UTC
alpha stable
Comment 13 Markus Meier gentoo-dev 2014-01-19 12:33:05 UTC
arm stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-01-26 11:48:33 UTC
ia64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-01-26 11:58:49 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 16 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-26 19:59:40 UTC
did a little extra cleanup, but all the badness was removed.

the following were removed
memcached-1.4.0-r2.ebuild memcached-1.4.0-r3.ebuild memcached-1.4.10-r1.ebuild memcached-1.4.11.ebuild memcached-1.4.13.ebuild memcached-1.4.13-r1.ebuild memcached-1.4.1-r1.ebuild memcached-1.4.2-r1.ebuild memcached-1.4.4-r1.ebuild memcached-1.4.5-r1.ebuild memcached-1.4.7-r1.ebuild memcached-1.4.8-r1.ebuild memcached-1.3.0-r1.ebuild memcached-1.3.3-r3.ebuild memcached-1.3.3-r4.ebuild memcached-1.2.5-r1.ebuild memcached-1.2.4-r1.ebuild memcached-1.2.1-r2.ebuild memcached-1.1.12-r3.ebuild

the following remain
memcached-1.1.13-r2.ebuild  memcached-1.1.13-r3.ebuild  memcached-1.2.6-r1.ebuild  memcached-1.2.8-r1.ebuild  memcached-1.3.3-r5.ebuild  memcached-1.4.17.ebuild
Comment 17 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-27 07:18:24 UTC
gonna remove myself from cc cause I'm done here, feel free to readd if needed.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2014-01-28 06:05:34 UTC
Maintainer(s), Thank you for your work!

GLSA Request Filed.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2014-02-04 13:57:09 UTC
CVE-2013-7239 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7239):
  memcached before 1.4.17 allows remote attackers to bypass authentication by
  sending an invalid request with SASL credentials, then sending another
  request with incorrect SASL credentials.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2014-06-15 00:48:10 UTC
This issue was resolved and addressed in
 GLSA 201406-13 at http://security.gentoo.org/glsa/glsa-201406-13.xml
by GLSA coordinator Chris Reffett (creffett).
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-06-19 11:49:53 UTC
This issue was resolved and addressed in
 GLSA 201406-13 at http://security.gentoo.org/glsa/glsa-201406-13.xml
by GLSA coordinator Chris Reffett (creffett).