-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:010 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : memcached Date : January 17, 2014 Affected: Business Server 1.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in memcached: The process_bin_delete function in memcached.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr (CVE-2013-0179). memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials (CVE-2013-7239). The do_item_get function in items.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr, a different vulnerability than CVE-2013-0179 (CVE-2013-7290). memcached before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (crash) via a request that triggers an unbounded key print during logging, related to an issue that was quickly grepped out of the source tree, a different vulnerability than CVE-2013-0179 and CVE-2013-7290 (CVE-2013-7291). The updated packages have been upgraded to the 1.4.17 version which is unaffected by these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7239 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7290 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7291 https://code.google.com/p/memcached/wiki/ReleaseNotes1417 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: a16c2422bfa525dbbaaf53a1947eb857 mes5/i586/memcached-1.4.17-0.1mdvmes5.2.i586.rpm bb30dd36547f39e0cc197e3286882c62 mes5/i586/memcached-devel-1.4.17-0.1mdvmes5.2.i586.rpm ef22bb85c812d510bde6110098a38f01 mes5/SRPMS/memcached-1.4.17-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 74c7f0f6ece79b4cbe924c8d41670d7a mes5/x86_64/memcached-1.4.17-0.1mdvmes5.2.x86_64.rpm a4b21173b04c8944067f34870b948fba mes5/x86_64/memcached-devel-1.4.17-0.1mdvmes5.2.x86_64.rpm ef22bb85c812d510bde6110098a38f01 mes5/SRPMS/memcached-1.4.17-0.1mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 8035d2870bcd192b1c6b6419256e4714 mbs1/x86_64/memcached-1.4.17-1.mbs1.x86_64.rpm 5343cfb775b8adc04760f6b5717aa4ce mbs1/x86_64/memcached-devel-1.4.17-1.mbs1.x86_64.rpm d7a230375722086b5419ca49544de75c mbs1/SRPMS/memcached-1.4.17-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFS2Q5omqjQ0CJFipgRAmQPAKCpbbljUvxwXBSzyzSuIAq56bRBygCdH1E6 0mBdsWBHW14kxDPmOwU604Y= =qOuN -----END PGP SIGNATURE-----