CVE-2023-27478: libmemcached-awesome is an open source C/C++ client library and tools for the memcached server. `libmemcached` could return data for a previously requested key, if that previous request timed out due to a low `POLL_TIMEOUT`. This issue has been addressed in version 1.1.4. Users are advised to upgrade. There are several ways to workaround or lower the probability of this bug affecting a given deployment. 1: use a reasonably high `POLL_TIMEOUT` setting, like the default. 2: use separate libmemcached connections for unrelated data. 3: do not re-use libmemcached connections in an unknown state.
Please clean up vulnerable versions 1.1.2 and 1.1.3-r1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5496a185cac8e593b6dfd3160b310b5d1f39766 commit f5496a185cac8e593b6dfd3160b310b5d1f39766 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2023-10-03 09:20:58 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-03 13:28:15 +0000 dev-libs/libmemcached-awesome: drop vulnerable Bug: https://bugs.gentoo.org/905335 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-libs/libmemcached-awesome/Manifest | 2 - .../libmemcached-awesome-1.1.2.ebuild | 46 --------------------- .../libmemcached-awesome-1.1.3-r1.ebuild | 47 ---------------------- 3 files changed, 95 deletions(-)
