Summary: | ~net-misc/memcached-1.6.2: RCE via binary protocol (CVE-2020-10931) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | prometheanfire, robbat2, whissi |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/memcached/memcached/issues/629 | ||
See Also: |
https://github.com/gentoo/gentoo/pull/15072 https://github.com/gentoo/gentoo/pull/15092 |
||
Whiteboard: | ~1 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Sam James
2020-03-23 14:05:36 UTC
NOTE: Only 1.6.0, 1.6.1 are affected. Patch: https://github.com/memcached/memcached/commit/02c6a2b62ddcb6fa4569a591d3461a156a636305 Fixed release: https://github.com/memcached/memcached/wiki/ReleaseNotes162 Workaround: "disable the binary protocol if you are not using it (-B ascii)." The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=058978523fe278aa97314b8dee17539b62ebe41d commit 058978523fe278aa97314b8dee17539b62ebe41d Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-23 17:57:38 +0000 Commit: Robin H. Johnson <robbat2@gentoo.org> CommitDate: 2020-03-23 19:26:19 +0000 net-misc/memcached: Bump 1.6.x release (security fix) Only affects 1.6.0, 1.6.1. Bug: https://bugs.gentoo.org/714068 Closes: https://github.com/gentoo/gentoo/pull/15072 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> net-misc/memcached/Manifest | 1 + net-misc/memcached/memcached-1.6.2.ebuild | 99 +++++++++++++++++++++++++++++++ 2 files changed, 100 insertions(+) @maintainer(s): please cleanup by dropping =net-misc/memcached-1.6.0, 1.6.1. Thanks for getting the fix in so quickly. *** Bug 714230 has been marked as a duplicate of this bug. *** The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=131272ff2dc52fe5c0a4859a15dee3d3f31f2de9 commit 131272ff2dc52fe5c0a4859a15dee3d3f31f2de9 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-24 19:27:53 +0000 Commit: Robin H. Johnson <robbat2@gentoo.org> CommitDate: 2020-03-24 19:47:22 +0000 net-misc/memcached: Cleanup vulnerable versions (1.6.{0,1}) Bug: https://bugs.gentoo.org/714068 Closes: https://github.com/gentoo/gentoo/pull/15092 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> net-misc/memcached/Manifest | 2 - net-misc/memcached/memcached-1.6.0.ebuild | 100 ------------------------------ net-misc/memcached/memcached-1.6.1.ebuild | 99 ----------------------------- 3 files changed, 201 deletions(-) All done, thank you. CVE-2020-10931 (https://nvd.nist.gov/vuln/detail/CVE-2020-10931): Memcached 1.6.x before 1.6.2 allows remote attackers to cause a denial of service (daemon crash) via a crafted binary protocol header to try_read_command_binary in memcached.c. |