Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 905335 (CVE-2023-27478)

Summary: <dev-libs/libmemcached-awesome-1.1.4: request confusion
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hydrapolic, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/awesomized/libmemcached/security/advisories/GHSA-wwmh-39wj-fx59
See Also: https://github.com/gentoo/gentoo/pull/33165
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 21:11:55 UTC 
CVE-2023-27478:

libmemcached-awesome is an open source C/C++ client library and tools for the memcached server. `libmemcached` could return data for a previously requested key, if that previous request timed out due to a low `POLL_TIMEOUT`. This issue has been addressed in version 1.1.4. Users are advised to upgrade. There are several ways to workaround or lower the probability of this bug affecting a given deployment. 1: use a reasonably high `POLL_TIMEOUT` setting, like the default. 2: use separate libmemcached connections for unrelated data. 3: do not re-use libmemcached connections in an unknown state.
Comment 1 Hans de Graaff gentoo-dev Security 2023-10-03 08:22:19 UTC 
Please clean up vulnerable versions 1.1.2 and 1.1.3-r1.
Comment 2 Larry the Git Cow gentoo-dev 2023-10-03 13:28:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5496a185cac8e593b6dfd3160b310b5d1f39766

commit f5496a185cac8e593b6dfd3160b310b5d1f39766
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2023-10-03 09:20:58 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-03 13:28:15 +0000

    dev-libs/libmemcached-awesome: drop vulnerable
    
    Bug: https://bugs.gentoo.org/905335
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-libs/libmemcached-awesome/Manifest             |  2 -
 .../libmemcached-awesome-1.1.2.ebuild              | 46 ---------------------
 .../libmemcached-awesome-1.1.3-r1.ebuild           | 47 ----------------------
 3 files changed, 95 deletions(-)