Summary: | <net-misc/memcached-1.2.8 Information disclosure (CVE-2009-{1255,1494}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | robbat2, wolf31o2 |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://code.google.com/p/memcachedb/source/diff?spec=svn98&r=98&format=side&path=/trunk/memcachedb.c | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 271246 | ||
Bug Blocks: |
Description
Alex Legler (RETIRED)
2009-05-01 19:43:05 UTC
Robin, can we go stable with 1.2.8? CVE-2009-1494 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1494): The process_stat function in Memcached 1.2.8 discloses memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain potentially sensitive information by sending this command to the daemon's TCP port. 1.3.3-r1 should go to stable. Want the stablereq in this bug, or in a separate one? I'd rank this exploit as fairly low priority, as memcached is meant for use on internal networks only. It would be far more destructive for the attacker to simply flush the cache. Usually we'd handle stabilization on this bug. It's easier to follow for us and arches. pppc/ppc64: please see the blocking bug memcached-1.3.3-r2 stabled on ppc ppc64 done rbu: all arches stable GLSA decision. Upstream is not too clear about the fact that access to the memcached port should be restrcicted. On the other hand, I suspect if unprivileged users were able to retrieve cached object via that port, other data could be disclosed as well. Since the impact is the defeat of ASLR, but not an immediate compromise, I vote NO. No, too. Closing. |