From ${URL} : From upstream release notes for 1.4.17 it states "The other notable bug is a SASL authentication bypass glitch. If a client makes an invalid request with SASL credentials, it will initially fail. However if you issue a second request with bad SASL credentials, it will authenticate. This has now been fixed.". Release notes: https://code.google.com/p/memcached/wiki/ReleaseNotes1417 Relative issue: https://code.google.com/p/memcached/issues/detail?id=316 Commit fixing issue: https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32
Thank you for the report Samuel upstream fix in version 1.4.17 also 1.4.17 available in tree. Maintainer(s) please advise when ready for stabilization.
Just need to remove the old versions?
Current stable version is: 1.4.13-r1 This version is vulnerable as all versions are < 1.4.17. 1.4.17 is in a tree but is not stable at this time. It needs to be stabilized and then 1.4.* removed as part of cleanup. My question is are we ready to stabilize 1.4.17 as we can call for stabilization if the maintainers think that they are ready for it.
Is that all ebuilds less then 1.4.17 or just all less then 1.4.17 in the 1.4.x branch?
arches, please stablize =net-misc/memcached-1.4.17
SASL support in memcached was introduced in 1.4.3 (if I am correct) so that means the 1.4.x tree is vulnerable and not the previous versions.
Stable for HPPA.
amd64 stable
x86 stable
ppc64 stable
ppc stable
alpha stable
arm stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
did a little extra cleanup, but all the badness was removed. the following were removed memcached-1.4.0-r2.ebuild memcached-1.4.0-r3.ebuild memcached-1.4.10-r1.ebuild memcached-1.4.11.ebuild memcached-1.4.13.ebuild memcached-1.4.13-r1.ebuild memcached-1.4.1-r1.ebuild memcached-1.4.2-r1.ebuild memcached-1.4.4-r1.ebuild memcached-1.4.5-r1.ebuild memcached-1.4.7-r1.ebuild memcached-1.4.8-r1.ebuild memcached-1.3.0-r1.ebuild memcached-1.3.3-r3.ebuild memcached-1.3.3-r4.ebuild memcached-1.2.5-r1.ebuild memcached-1.2.4-r1.ebuild memcached-1.2.1-r2.ebuild memcached-1.1.12-r3.ebuild the following remain memcached-1.1.13-r2.ebuild memcached-1.1.13-r3.ebuild memcached-1.2.6-r1.ebuild memcached-1.2.8-r1.ebuild memcached-1.3.3-r5.ebuild memcached-1.4.17.ebuild
gonna remove myself from cc cause I'm done here, feel free to readd if needed.
Maintainer(s), Thank you for your work! GLSA Request Filed.
CVE-2013-7239 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7239): memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials.
This issue was resolved and addressed in GLSA 201406-13 at http://security.gentoo.org/glsa/glsa-201406-13.xml by GLSA coordinator Chris Reffett (creffett).