Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

memcached: CVE-2013-7291

Related Vulnerabilities: CVE-2013-7291   CVE-2013-7290  

Source

Debian Bug report logs - #735314
memcached: CVE-2013-7291

version graph

Package: memcached; Maintainer for memcached is Guillaume Delacour <gui@iroqwa.org>; Source for memcached is src:memcached (PTS, buildd, popcon).

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 14 Jan 2014 15:57:06 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version memcached/1.4.5-1

Fixed in versions 1.4.13-0.2+deb7u2, memcached/1.4.20-1

Done: Guillaume Delacour <gui@iroqwa.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#735314; Package memcached. (Tue, 14 Jan 2014 15:57:11 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Martínez Moreno <ender@debian.org>. (Tue, 14 Jan 2014 15:57:11 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: memcached: CVE-2013-7291
Date: Tue, 14 Jan 2014 16:54:59 +0100
Package: memcached
Version: 1.4.5-1
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for memcached.

CVE-2013-7291[0]:
denial of service issue via unbounded key print

In [1] there are mentioned two additional fixes, where CVE-2013-7290
should be already addressed (touches items.c) in 1.4.13-0.2 and
1.4.5-1+deb6u1.

CVE-2013-7291 seems for the additonal commit touching memcached.c in
[2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7291
    http://security-tracker.debian.org/tracker/CVE-2013-7291
[1] https://code.google.com/p/memcached/issues/detail?id=306#c7
[2] https://github.com/memcached/memcached/commit/fbe823d9a61b5149cd6e3b5e17bd28dd3b8dd760

Regards,
Salvatore

Reply sent to Guillaume Delacour <gui@iroqwa.org>:
You have taken responsibility. (Sun, 12 Oct 2014 13:09:46 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 12 Oct 2014 13:09:46 GMT) (full text, mbox, link).

Message #10 received at 735314-close@bugs.debian.org (full text, mbox, reply):

From: Guillaume Delacour <gui@iroqwa.org>
To: 735314-close@bugs.debian.org
Subject: Bug#735314: fixed in memcached 1.4.20-1
Date: Sun, 12 Oct 2014 13:04:12 +0000
Source: memcached
Source-Version: 1.4.20-1

We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 735314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillaume Delacour <gui@iroqwa.org> (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 04 Oct 2014 15:19:45 +0200
Source: memcached
Binary: memcached
Architecture: source amd64
Version: 1.4.20-1
Distribution: unstable
Urgency: medium
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Guillaume Delacour <gui@iroqwa.org>
Description:
 memcached  - high-performance memory object caching system
Closes: 587797 641770 672125 683144 685800 709163 710015 721203 733588 735314 761027
Changes:
 memcached (1.4.20-1) unstable; urgency=medium
 .
   * New upstream release: (Closes: #733588)
     - Includes fix for CVE-2013-7291 (Closes: #735314)
     - Fix build for arm64 port (Closes: #761027, #721203)
   * Add myself to Uploaders
   * Provide scripts/damemtop, scripts/mc_slab_mover
   * README is now README.md
   * Suggests perl modules used by the new scripts
   * Packaging updates:
     - Switch to debhelper 9 and use source format 3.0
     - remove dpkg-dev and quilt Build-Deps,
     - add adduser dependency
     - use all hardening options
     - remove unnecessary debian/README.source
     - update debian/copyring to use the machine-readable format
   * Bumped policy version to 3.9.6 (no changes needed)
   * Use dedicated memcache user instead of nobody, thanks Clint Byrum
     (Closes: #587797)
   * Use DEP-8 to test the package, thanks Yolanda Robla (Closes: #710015)
   * Update description to remove "A" article and change Homepage
   * Handle end of line comments in memcached.conf (Closes: #683144)
   * Update debian/watch to track memcached.org (github has old 1.6.0-beta1)
   * Update upstream manpage to add missing options (Closes: #685800)
   * Add Vcs-{Git,Browser}
   * Provide systemd support.
   * Provide the status for several instances in scripts/memcached-init, if
     the script is used. (Closes: #709163, LP: #1177398)
 .
   [ Ana Beatriz Guerrero Lopez ]
   * As discussed with David by IRC, sponsor the package with Guillaume
     co-maintaining.
   * Add the stanza "XS-Testsuite: autopkgtest" in debian/control
   * Acknowledge old NMUs from Arno Töll. (Closes: #641770, #672125)
Checksums-Sha1:
 e3b3b43f3a4faf56f280ee1a5c8bf0dd02f446e6 2021 memcached_1.4.20-1.dsc
 3609ccad2aebe3c9edf9577a6398d03cef201ba1 232849 memcached_1.4.20.orig.tar.gz
 7636cd2dfbf640a0954c55c2e31d737e25e477a2 13404 memcached_1.4.20-1.debian.tar.xz
 ae1e0d64e37acc66c531fc52399269c266162735 96692 memcached_1.4.20-1_amd64.deb
Checksums-Sha256:
 1cf5eb22a4a5ca329150710072a7824987c001e5753083454f36235b609376b8 2021 memcached_1.4.20-1.dsc
 416219d9921e857440565b333feb14d37a7cb777c58f6f706611060584b3a279 232849 memcached_1.4.20.orig.tar.gz
 eebf81408015a0349c746c16c00b486253ff72c474c91cc2a7c81c9a10f82994 13404 memcached_1.4.20-1.debian.tar.xz
 ade775f2dfddb0d7f9ca7cfbf1f7af8b8e136e0207a3942b0c7ce507e9ed887c 96692 memcached_1.4.20-1_amd64.deb
Files:
 785509e60a0bcb1ca9aaf30467b37814 96692 web optional memcached_1.4.20-1_amd64.deb
 d07aa91b5e36508c59d23f33c45faa28 2021 web optional memcached_1.4.20-1.dsc
 320065500108990c263c1a55f3f96d56 232849 web optional memcached_1.4.20.orig.tar.gz
 0cd4d3166040a40a17e7307fa24d389d 13404 web optional memcached_1.4.20-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Signed by Ana Guerrero

iQIcBAEBCAAGBQJUOnfTAAoJELNGT4lqoVlI3ugP/18B8LXq5fNCSYi4X3hLh7uw
fR95tmTTzUKf2yVBM3IYC1ZVNUl1HspZdLDQZHE2L0++zDcMxszu1KBvYd3Mh41L
+LQy4P+e6m8nh6PcxeYenn54NHtTlpbwbOZwvuURJIZiHX/Fv2+FTeSNoh/TnU2i
qZ2dRpGIqZSyYwmGa3eFUqqacBc6U5xx5xtBotWHBK0QvUFa2SEGkCd3DwkYTMtz
6PvzV3h0eC1i/kptFXzhLNaCvyjKbL9vKdVCK4U1AENAVsAY09HNjdRr2DcdhJHf
WFNS/OcCssLM7w8Yxha/CBpj211CCJvdN6blYVVoY2YkJ0HTvSpvWR5k53IIrz8r
SPgz+Da45RZ8/5PxQWhtZWmRbSY1yorA/bMm43qHmIjYM0y7gzSPIOhsxqT7JlhD
Kvw1U+PRFF1Z91bDr+gbTRrJz4EwxE+wU+Bx/ty3nm5NktPLmOfyJF07xAa3Kidh
rT6gYC04oJBsP156/5Mqf3t0dVffPLPTcyYkC0Xq8CpxUiqccKJvENswgKQIYkb3
Sq/y2tZZSXtBehjayRcvLXZrJVv7zMSotWdBE51CzhV6TYy6wr0HbFQTPqxF+gOB
1xnpO/F4kdKlospJFSzpTD9Sp6qWuuGgs4tF3bWM3twKhpjx3cYImHEyrGCoMAC6
KVox498S6qscpvAFXkv6
=FXJu
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 22 Feb 2016 07:28:57 GMT) (full text, mbox, link).

Bug unarchived. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 05 Nov 2016 15:09:07 GMT) (full text, mbox, link).

Marked as fixed in versions 1.4.13-0.2+deb7u2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 05 Nov 2016 15:09:07 GMT) (full text, mbox, link).

Bug archived. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 05 Nov 2016 15:09:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:33:50 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started