Summary: | <net-misc/memcached-1.4.17: SASL authentication allows wrong credentials to access memcache (CVE-2013-7239) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Samuel Damashek (RETIRED) <sdamashek> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | robbat2 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/12/30/4 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Samuel Damashek (RETIRED)
2013-12-30 16:44:52 UTC
Thank you for the report Samuel upstream fix in version 1.4.17 also 1.4.17 available in tree. Maintainer(s) please advise when ready for stabilization. Just need to remove the old versions? Current stable version is: 1.4.13-r1 This version is vulnerable as all versions are < 1.4.17. 1.4.17 is in a tree but is not stable at this time. It needs to be stabilized and then 1.4.* removed as part of cleanup. My question is are we ready to stabilize 1.4.17 as we can call for stabilization if the maintainers think that they are ready for it. Is that all ebuilds less then 1.4.17 or just all less then 1.4.17 in the 1.4.x branch? arches, please stablize =net-misc/memcached-1.4.17 SASL support in memcached was introduced in 1.4.3 (if I am correct) so that means the 1.4.x tree is vulnerable and not the previous versions. Stable for HPPA. amd64 stable x86 stable ppc64 stable ppc stable alpha stable arm stable ia64 stable sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. did a little extra cleanup, but all the badness was removed. the following were removed memcached-1.4.0-r2.ebuild memcached-1.4.0-r3.ebuild memcached-1.4.10-r1.ebuild memcached-1.4.11.ebuild memcached-1.4.13.ebuild memcached-1.4.13-r1.ebuild memcached-1.4.1-r1.ebuild memcached-1.4.2-r1.ebuild memcached-1.4.4-r1.ebuild memcached-1.4.5-r1.ebuild memcached-1.4.7-r1.ebuild memcached-1.4.8-r1.ebuild memcached-1.3.0-r1.ebuild memcached-1.3.3-r3.ebuild memcached-1.3.3-r4.ebuild memcached-1.2.5-r1.ebuild memcached-1.2.4-r1.ebuild memcached-1.2.1-r2.ebuild memcached-1.1.12-r3.ebuild the following remain memcached-1.1.13-r2.ebuild memcached-1.1.13-r3.ebuild memcached-1.2.6-r1.ebuild memcached-1.2.8-r1.ebuild memcached-1.3.3-r5.ebuild memcached-1.4.17.ebuild gonna remove myself from cc cause I'm done here, feel free to readd if needed. Maintainer(s), Thank you for your work! GLSA Request Filed. CVE-2013-7239 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7239): memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials. This issue was resolved and addressed in GLSA 201406-13 at http://security.gentoo.org/glsa/glsa-201406-13.xml by GLSA coordinator Chris Reffett (creffett). This issue was resolved and addressed in GLSA 201406-13 at http://security.gentoo.org/glsa/glsa-201406-13.xml by GLSA coordinator Chris Reffett (creffett). |