lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 01 Jan 2014 11:17:45 +0000
From: Salvatore Bonaccorso <carnil@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 2832-1] memcached security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2832-1                   security@...ian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
January 01, 2014                       http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : memcached
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-4971 CVE-2013-7239
Debian Bug     : 706426 733643

Multiple vulnerabilities have been found in memcached, a high-performance
memory object caching system. The Common Vulnerabilities and Exposures
project identifies the following issues:

CVE-2011-4971

    Stefan Bucur reported that memcached could be caused to crash by
    sending a specially crafted packet.

CVE-2013-7239

    It was reported that SASL authentication could be bypassed due to a
    flaw related to the managment of the SASL authentication state. With
    a specially crafted request, a remote attacker may be able to
    authenticate with invalid SASL credentials.

For the oldstable distribution (squeeze), these problems have been fixed
in version 1.4.5-1+deb6u1. Note that the patch for CVE-2013-7239 was not
applied for the oldstable distribution as SASL support is not enabled in
this version. This update also provides the fix for CVE-2013-0179 which
was fixed for stable already.

For the stable distribution (wheezy), these problems have been fixed in
version 1.4.13-0.2+deb7u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your memcached packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSw/k7AAoJEAVMuPMTQ89EN9cP/2+3NUmG98Jp4GXewX4KnXeJ
Us08m4dlTyNEjVu3z8vAJ9iIvu28zyiYwKp6msyyc0155D6hNmmxkNfhGI/IgDBi
QPo2AZrvWvTafztNyRzyBKzQHK3DlM9LEGYZC6rOpNWEF2xv1lT6vwWDj/fZRDiA
6pqGX/iERk/9EK4WeXi1KlTNzzOJJOQkN4NeoQEeUWec5s6V0/fOKoVccbKI9pOE
8UXL1Hqz3BK9YsNu8a5qadrSZ/3fRSHcmz3Drt7pyVpmJw4jzB126TZF8UJsLspQ
28wxOYISYJJvNXBJZM5oEjjssokzZw3Y1UYljY2Jc4sTUwLcWIQxM36AvlRrZ8Yj
0YoaA3UMfYeEtcPsv24/f8r8gEZsq4cVPatHBm4Ke/rmMttYiuX3n2iVfLiYdE6S
ByfMZ4Rqk17SzUf6TCjsfomU45SGjtOzIEKwXBNBSGjK6Lej8zqKffNhvCH3ZwoH
t0JS4qAr5EWdSuZkLLEtAu91qTGLJlxsPZk7odWyYA+Oe6c1Mobm2+PpfXgY0v/L
H0ktTng+g/glH/3pnDzvBNthjLE8mN2ioFBEH5WFBiN2hZnGck2WXGzjWG4B9cAO
gqFPlp+gP0m6ZmE1CyYdhR8ZgLhb+WZ8LbldYAIDWkA303gvnE5Enmn2NXrtFbBN
LM+/KdVYzK4ZrVccPtkb
=tx8/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ