[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 2832-1] memcached security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2832-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
January 01, 2014                       http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : memcached
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-4971 CVE-2013-7239
Debian Bug     : 706426 733643

Multiple vulnerabilities have been found in memcached, a high-performance
memory object caching system. The Common Vulnerabilities and Exposures
project identifies the following issues:

CVE-2011-4971

    Stefan Bucur reported that memcached could be caused to crash by
    sending a specially crafted packet.

CVE-2013-7239

    It was reported that SASL authentication could be bypassed due to a
    flaw related to the managment of the SASL authentication state. With
    a specially crafted request, a remote attacker may be able to
    authenticate with invalid SASL credentials.

For the oldstable distribution (squeeze), these problems have been fixed
in version 1.4.5-1+deb6u1. Note that the patch for CVE-2013-7239 was not
applied for the oldstable distribution as SASL support is not enabled in
this version. This update also provides the fix for CVE-2013-0179 which
was fixed for stable already.

For the stable distribution (wheezy), these problems have been fixed in
version 1.4.13-0.2+deb7u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your memcached packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSw/k7AAoJEAVMuPMTQ89EN9cP/2+3NUmG98Jp4GXewX4KnXeJ
Us08m4dlTyNEjVu3z8vAJ9iIvu28zyiYwKp6msyyc0155D6hNmmxkNfhGI/IgDBi
QPo2AZrvWvTafztNyRzyBKzQHK3DlM9LEGYZC6rOpNWEF2xv1lT6vwWDj/fZRDiA
6pqGX/iERk/9EK4WeXi1KlTNzzOJJOQkN4NeoQEeUWec5s6V0/fOKoVccbKI9pOE
8UXL1Hqz3BK9YsNu8a5qadrSZ/3fRSHcmz3Drt7pyVpmJw4jzB126TZF8UJsLspQ
28wxOYISYJJvNXBJZM5oEjjssokzZw3Y1UYljY2Jc4sTUwLcWIQxM36AvlRrZ8Yj
0YoaA3UMfYeEtcPsv24/f8r8gEZsq4cVPatHBm4Ke/rmMttYiuX3n2iVfLiYdE6S
ByfMZ4Rqk17SzUf6TCjsfomU45SGjtOzIEKwXBNBSGjK6Lej8zqKffNhvCH3ZwoH
t0JS4qAr5EWdSuZkLLEtAu91qTGLJlxsPZk7odWyYA+Oe6c1Mobm2+PpfXgY0v/L
H0ktTng+g/glH/3pnDzvBNthjLE8mN2ioFBEH5WFBiN2hZnGck2WXGzjWG4B9cAO
gqFPlp+gP0m6ZmE1CyYdhR8ZgLhb+WZ8LbldYAIDWkA303gvnE5Enmn2NXrtFbBN
LM+/KdVYzK4ZrVccPtkb
=tx8/
-----END PGP SIGNATURE-----


Reply to: