Debians sikkerhedsbulletin

DSA-1853-1 memcached -- heap-baseret bufferoverløb

Rapporteret den:

7. aug 2009

Berørte pakker:

memcached

Sårbar:

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2009-2415.

Yderligere oplysninger:

Ronald Volgers opdagede at memcached, et højtydende system til caching af hukommelsesobjekter, var sårbart over for flere heap-baserede bufferoverløb på grund af heltalskonverteringer når der blev behandlet visse længdeattributter. En angriber kunne anvende dette til at udføre vilkårlig kode på systemet, der kører memcached (på etch med root-rettigheder).

I den gamle stabile distribution (etch), er dette problem rettet i version 1.1.12-1+etch1.

I den stabile distribution (lenny), er dette problem rettet i version 1.2.2-1+lenny1.

I distributionen testing (squeeze) og i den ustabile distribution (sid), vil dette problem snart blive rettet.

Vi anbefaler at du opgraderer dine memcached-pakker.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1.dsc; http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12.orig.tar.gz; http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1.diff.gz
Alpha:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.1.12-1+etch1_sparc.deb

Debian GNU/Linux 5.0 (lenny)

Kildekode:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1.dsc; http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2.orig.tar.gz; http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1.diff.gz
Alpha:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1_arm.deb
ARM EABI:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1_armel.deb
HP Precision:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/m/memcached/memcached_1.2.2-1+lenny1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.