memcached: CVE-2013-0179

Debian Bug report logs - #698231
memcached: CVE-2013-0179

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: memcached: CVE-2013-0179

Date: Tue, 15 Jan 2013 17:28:15 +0100

Package: memcached
Severity: grave
Tags: security
Justification: user security hole

A minor security issue was found in memcached:
http://www.openwall.com/lists/oss-security/2013/01/14/6

This doesn't warrant a DSA, but you could fix it through a point update.

For Wheezy a minimal fix should be made instead of updating to a new
upstream release.

Cheers,
        Moritz

Message #10 received at 698231@bugs.debian.org (full text, mbox, reply):

From: Arno Töll <arno@debian.org>

To: 698231@bugs.debian.org

Cc: carnil@debian.org

Subject: RE: memcached: CVE-2013-0179

Date: Sat, 19 Jan 2013 15:21:39 +0100

[Message part 1 (text/plain, inline)]

Hi,

looking at the current upload history, I don't think the current
maintainer will prepare a patch for s-p-u. Salvatore, given you asked
yesterday: Are you working on this?

If nobody steps in, I'll NMU the version in unstable at very least,
although I cannot promise this will happen within the next 1-2 days.


-- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 698231@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Arno Töll <arno@debian.org>

Cc: 698231@bugs.debian.org

Subject: Re: memcached: CVE-2013-0179

Date: Sat, 19 Jan 2013 16:16:16 +0100

[Message part 1 (text/plain, inline)]

Hi Arno

On Sat, Jan 19, 2013 at 03:21:39PM +0100, Arno Töll wrote:
> looking at the current upload history, I don't think the current
> maintainer will prepare a patch for s-p-u. Salvatore, given you asked
> yesterday: Are you working on this?
> 
> If nobody steps in, I'll NMU the version in unstable at very least,
> although I cannot promise this will happen within the next 1-2 days.

The patch in the bugreport applies, and the reporducer shows then the
correct behaviour. But I noticed that the reporter followed up on the
bugreport mentioned another instance of the problem[1].

 [1]: https://code.google.com/p/memcached/issues/detail?id=306#c6

As you did last NMU's if you want to take over, I would happily hand
it over :)

The only thing is if Release Team is happy with it to have it updated
as it is (i.e. native Debian package).

Regards,
Salvatore

[memcached_1.4.13-0.2.debdiff (text/plain, attachment)]

Message #20 received at 698231@bugs.debian.org (full text, mbox, reply):

From: Arno Töll <arno@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 698231@bugs.debian.org

Subject: Re: memcached: CVE-2013-0179

Date: Sat, 19 Jan 2013 16:45:32 +0100

[Message part 1 (text/plain, inline)]

On 19.01.2013 16:16, Salvatore Bonaccorso wrote:
> 
> The only thing is if Release Team is happy with it to have it updated
> as it is (i.e. native Debian package).

Yes, my bad. I wasn't careful enough with that as 1.0 packages make it
pretty easy to produce a native package accidentally. I'll ask in
#debian-release whether they are happy with your debdiff and report back.


-- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D

[signature.asc (application/pgp-signature, attachment)]

Message #29 received at 698231@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Arno Töll <arno@debian.org>, 698231@bugs.debian.org, 698231-submitter@bugs.debian.org

Subject: Re: Bug#698231: memcached: CVE-2013-0179

Date: Sat, 19 Jan 2013 20:45:03 +0100

[Message part 1 (text/plain, inline)]

Hi

Attached is a proposed debdiff for #698231.

Any comments?

Regards,
Salvatore

[memcached_1.4.13-0.2.debdiff (text/plain, attachment)]

Message #37 received at 698231@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 698231@bugs.debian.org

Subject: memcached: diff for NMU version 1.4.13-0.2

Date: Wed, 23 Jan 2013 21:32:11 +0100

[Message part 1 (text/plain, inline)]

tags 698231 + pending
thanks

Dear maintainer,

I've prepared an NMU for memcached (versioned as 1.4.13-0.2) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[memcached-1.4.13-0.2-nmu.diff (text/x-diff, attachment)]

Message #44 received at 698231-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 698231-close@bugs.debian.org

Subject: Bug#698231: fixed in memcached 1.4.13-0.2

Date: Mon, 28 Jan 2013 21:02:29 +0000

Source: memcached
Source-Version: 1.4.13-0.2

We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 698231@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 23 Jan 2013 21:22:09 +0100
Source: memcached
Binary: memcached
Architecture: source amd64
Version: 1.4.13-0.2
Distribution: unstable
Urgency: low
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 memcached  - A high-performance memory object caching system
Closes: 698231
Changes: 
 memcached (1.4.13-0.2) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Add 05_fix-buffer-overrun_when_logging_keys.patch patch
     [SECURITY] CVE-2013-0179: DoS due to buffer overrun when printing out keys
     to be deleted in verbose mode. (Closes: #698231).
Checksums-Sha1: 
 ef93dd68447305b95c54fa73df9f248ae06717e3 1528 memcached_1.4.13-0.2.dsc
 082849bf141ac23fc5dfd73acd1b18bd7acd4e88 329382 memcached_1.4.13-0.2.tar.gz
 121bf718c3329b6428b0f2e23e9bb7a572968fc9 86682 memcached_1.4.13-0.2_amd64.deb
Checksums-Sha256: 
 5ec3bf230b941cdda277c772edc2acb6121d63ee52b9eb2f934503871d7e67bc 1528 memcached_1.4.13-0.2.dsc
 866818e7889591487012748ec978452460f92afbe14a5902d893a093279ce8a0 329382 memcached_1.4.13-0.2.tar.gz
 efe3092e4c597b859c057b26e5a7214cfcae3f743809ec0f4c628394718bb8ae 86682 memcached_1.4.13-0.2_amd64.deb
Files: 
 f3d6b9893f697dc36e3ff79fb8ca5cc0 1528 web optional memcached_1.4.13-0.2.dsc
 c5436366b8fba7a3f7b2e3f6683ae2b7 329382 web optional memcached_1.4.13-0.2.tar.gz
 3f3abe02054b0b3bf7a186be489a6812 86682 web optional memcached_1.4.13-0.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRAEbUAAoJEHidbwV/2GP+q2cQANKtVZ3zFmQRmY9t0DkFHcbU
xo+z9cEG+WW68CxyZIxXsI3nAUMrwGLOTR8CEPnr8MvXMAbiVpw9Nf7kZxarw+PO
iTSLQPKzOM4ny21BNvrRzGbpaP8pJr8853khGd9GFUDiUh91MRr16yZtgX3hkkCp
hXjZCoMEp8fupehSiQga1c9KuVaEb3z3K3RqafJ/mlYKgOpCVP+EDjo7BdOe/oQ/
yABYNhwP/V9FjahmVy8uIz1Md1T8Log0pT15louMhumjBRy2Orkyn6VobOsXe6Ze
Bi+lOmcBpQR5GWv28E6W1zS5Dolsb5GGmnQoM06EIIwH7pqPT2fsQUhDwzxAY9W2
LsLiQjmzYtIb2qcOOjA4v7BQgkk+0YipZI/86+GXroab9z7mKpIRVTO2YsTgGDhL
AZQBbHMwWORXE/O2N2cEr5ZdDw/NMyamsZ9aqjzpePTOim8OuJGlck7kkCK7GgId
bHdduV5HsTsmeT6sdoUhdEMHYhijXyzgE7yb4BCmt3+2pjfR3lJm0jmycClV86Kp
jRT6QOQo31z7fJcT6S+tTnLj2JJ0/x+KDC08MbRma2OCd8hCmxbV+78K7Uy1XRxL
Zu7ElcaoWfzG4sKfAnUSSf9pT2sZsfS7XpoAMhA6vhJHIYvGYYs7iZGhEQOf5H7I
ptHTGcjIc0f/g6RAS4R6
=72gO
-----END PGP SIGNATURE-----

Message #49 received at 698231@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 698231@bugs.debian.org

Subject: Re: memcached: CVE-2013-0179

Date: Tue, 29 Jan 2013 12:15:02 -0000

Package: memcached

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.7) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/698231/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Message #62 received at 698231-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 698231-close@bugs.debian.org

Subject: Bug#698231: fixed in memcached 1.4.5-1+deb6u1

Date: Thu, 02 Jan 2014 13:47:31 +0000

Source: memcached
Source-Version: 1.4.5-1+deb6u1

We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 698231@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 31 Dec 2013 08:25:46 +0100
Source: memcached
Binary: memcached
Architecture: source amd64
Version: 1.4.5-1+deb6u1
Distribution: squeeze-security
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 memcached  - A high-performance memory object caching system
Closes: 698231 706426
Changes: 
 memcached (1.4.5-1+deb6u1) squeeze-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add 03_fix-buffer-overrun_when_logging_keys.patch patch.
     CVE-2013-0179: DoS due to buffer overrun when printing out keys to be
     deleted in verbose mode. (Closes: #698231)
   * Add 04_CVE-2011-4971.patch.
     CVE-2011-4971: Fix remote denial of service. Sending a specially crafted
     packet cause memcached to segfault. (Closes: #706426)
Checksums-Sha1: 
 b89af44ed7177f382fba9d751e8aef3c126f0f87 1712 memcached_1.4.5-1+deb6u1.dsc
 c7d6517764b82d23ae2de76b56c2494343c53f02 302516 memcached_1.4.5.orig.tar.gz
 3c930d2b7a66b065ada9eb1c46c94c55f5090fde 10965 memcached_1.4.5-1+deb6u1.diff.gz
 5eb9a5843333495a5c39fb6fb594a156d009cad9 76622 memcached_1.4.5-1+deb6u1_amd64.deb
Checksums-Sha256: 
 eff2417dde202b92c51d3f665c3bea6aa6441f7d1d19cc517e6ab250dbc13a3c 1712 memcached_1.4.5-1+deb6u1.dsc
 9571b4b85484e46b3b10f07ccba77a1fa97d60660b32859f990effefb3005f91 302516 memcached_1.4.5.orig.tar.gz
 05eff830d3f99d76feb247a2267197d71aa6a6e0b98383b1abf258592cf9b6d4 10965 memcached_1.4.5-1+deb6u1.diff.gz
 8de46a28eea780382f1614060406cfe70c3c5d67462bdffd2066858b2528ac57 76622 memcached_1.4.5-1+deb6u1_amd64.deb
Files: 
 4b062f67fa9868b325e3683136ff22ab 1712 web optional memcached_1.4.5-1+deb6u1.dsc
 583441a25f937360624024f2881e5ea8 302516 web optional memcached_1.4.5.orig.tar.gz
 e9f22698a2d8950f3c8899d36ca4c025 10965 web optional memcached_1.4.5-1+deb6u1.diff.gz
 0d466a9ee77d037abb5d8aef2a4e66ff 76622 web optional memcached_1.4.5-1+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSw8vBAAoJEAVMuPMTQ89EjZ8P/iXwKr1qpAuFEfijhmY5wpqH
Jp4BWADkD1jS5zn9ixGGvmB+/oC3fJv0oTrEQZiSV2szhtl81sULkcW3NoL9fVBT
KQFkmKLFDbQlSEd/JMu+4gYoHWjznHzDtS7YEcxBUwYYRcss/K8Jw6KoAbPbPKkp
DN1OHEoZanT7NwAbs7gr0iqFGKbGEBBXF6hDj7xNS+6XwU6a+cWTtB9Ws9uBS0VW
E9KTyz1V3sSUX5oN/Lwwo2NUnIemWonNQCzbO1XXhc2H3EXFYz06wPYuscXokPyb
STnl0A6RmSs+QPkE0gAf60mDFwfa8z+4zWd4RdNn4iucp8cbfQ9c9uQ2PB2LT+I0
Ytp47LcNi9pLShJf9N/g8M8kwChewXy3pClMhBg+WLz/uHW/ahKcbY1HEl3MbIZB
X55DTXrgk5MIxVpeQSVfcWXgAylSD1jf3N8zjnzxznyUz6l0oSISoEGtPADV7MZM
9mGEnws3qcfSfSa/fQlamrZ8TtyIpaFjvYS1urNQxKIoG6EH8mC1k5m9IBk+vT/j
/2Ky9Y1GxKHIxXK8AYVYqZGu+fbritWECdfYQcOsifEUwKaMzspurgjKON8E2PMa
XK2ebxuXLTlnBE+NzBJkW8leZeJOx+vO7MFCgiCW9BWVP6hXmMFWGSyrRzHAeks2
ZPtQjDi5iPu357mKuqzk
=Qrke
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.