Claims to affect 1.6.0, 1.6.1, unclear if it affects others. Awaiting upstream confirm and fix. Bug report: https://github.com/memcached/memcached/issues/629
NOTE: Only 1.6.0, 1.6.1 are affected. Patch: https://github.com/memcached/memcached/commit/02c6a2b62ddcb6fa4569a591d3461a156a636305
Fixed release: https://github.com/memcached/memcached/wiki/ReleaseNotes162 Workaround: "disable the binary protocol if you are not using it (-B ascii)."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=058978523fe278aa97314b8dee17539b62ebe41d commit 058978523fe278aa97314b8dee17539b62ebe41d Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-23 17:57:38 +0000 Commit: Robin H. Johnson <robbat2@gentoo.org> CommitDate: 2020-03-23 19:26:19 +0000 net-misc/memcached: Bump 1.6.x release (security fix) Only affects 1.6.0, 1.6.1. Bug: https://bugs.gentoo.org/714068 Closes: https://github.com/gentoo/gentoo/pull/15072 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> net-misc/memcached/Manifest | 1 + net-misc/memcached/memcached-1.6.2.ebuild | 99 +++++++++++++++++++++++++++++++ 2 files changed, 100 insertions(+)
@maintainer(s): please cleanup by dropping =net-misc/memcached-1.6.0, 1.6.1. Thanks for getting the fix in so quickly.
*** Bug 714230 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=131272ff2dc52fe5c0a4859a15dee3d3f31f2de9 commit 131272ff2dc52fe5c0a4859a15dee3d3f31f2de9 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-24 19:27:53 +0000 Commit: Robin H. Johnson <robbat2@gentoo.org> CommitDate: 2020-03-24 19:47:22 +0000 net-misc/memcached: Cleanup vulnerable versions (1.6.{0,1}) Bug: https://bugs.gentoo.org/714068 Closes: https://github.com/gentoo/gentoo/pull/15092 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> net-misc/memcached/Manifest | 2 - net-misc/memcached/memcached-1.6.0.ebuild | 100 ------------------------------ net-misc/memcached/memcached-1.6.1.ebuild | 99 ----------------------------- 3 files changed, 201 deletions(-)
All done, thank you.
CVE-2020-10931 (https://nvd.nist.gov/vuln/detail/CVE-2020-10931): Memcached 1.6.x before 1.6.2 allows remote attackers to cause a denial of service (daemon crash) via a crafted binary protocol header to try_read_command_binary in memcached.c.