Debian Bug report logs -
#698231
memcached: CVE-2013-0179
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Martínez Moreno <ender@debian.org>
:
Bug#698231
; Package memcached
.
(Tue, 15 Jan 2013 16:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Martínez Moreno <ender@debian.org>
.
(Tue, 15 Jan 2013 16:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: memcached
Severity: grave
Tags: security
Justification: user security hole
A minor security issue was found in memcached:
http://www.openwall.com/lists/oss-security/2013/01/14/6
This doesn't warrant a DSA, but you could fix it through a point update.
For Wheezy a minimal fix should be made instead of updating to a new
upstream release.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>
:
Bug#698231
; Package memcached
.
(Sat, 19 Jan 2013 14:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Arno Töll <arno@debian.org>
:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>
.
(Sat, 19 Jan 2013 14:24:03 GMT) (full text, mbox, link).
Message #10 received at 698231@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
looking at the current upload history, I don't think the current
maintainer will prepare a patch for s-p-u. Salvatore, given you asked
yesterday: Are you working on this?
If nobody steps in, I'll NMU the version in unstable at very least,
although I cannot promise this will happen within the next 1-2 days.
--
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>
:
Bug#698231
; Package memcached
.
(Sat, 19 Jan 2013 15:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>
.
(Sat, 19 Jan 2013 15:18:06 GMT) (full text, mbox, link).
Message #15 received at 698231@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Arno
On Sat, Jan 19, 2013 at 03:21:39PM +0100, Arno Töll wrote:
> looking at the current upload history, I don't think the current
> maintainer will prepare a patch for s-p-u. Salvatore, given you asked
> yesterday: Are you working on this?
>
> If nobody steps in, I'll NMU the version in unstable at very least,
> although I cannot promise this will happen within the next 1-2 days.
The patch in the bugreport applies, and the reporducer shows then the
correct behaviour. But I noticed that the reporter followed up on the
bugreport mentioned another instance of the problem[1].
[1]: https://code.google.com/p/memcached/issues/detail?id=306#c6
As you did last NMU's if you want to take over, I would happily hand
it over :)
The only thing is if Release Team is happy with it to have it updated
as it is (i.e. native Debian package).
Regards,
Salvatore
[memcached_1.4.13-0.2.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>
:
Bug#698231
; Package memcached
.
(Sat, 19 Jan 2013 15:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Arno Töll <arno@debian.org>
:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>
.
(Sat, 19 Jan 2013 15:45:05 GMT) (full text, mbox, link).
Message #20 received at 698231@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 19.01.2013 16:16, Salvatore Bonaccorso wrote:
>
> The only thing is if Release Team is happy with it to have it updated
> as it is (i.e. native Debian package).
Yes, my bad. I wasn't careful enough with that as 1.0 packages make it
pretty easy to produce a native package accidentally. I'll ask in
#debian-release whether they are happy with your debdiff and report back.
--
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 19 Jan 2013 17:15:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>
:
Bug#698231
; Package memcached
.
(Sat, 19 Jan 2013 19:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>
.
(Sat, 19 Jan 2013 19:48:06 GMT) (full text, mbox, link).
Message #29 received at 698231@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Attached is a proposed debdiff for #698231.
Any comments?
Regards,
Salvatore
[memcached_1.4.13-0.2.debdiff (text/plain, attachment)]
Message sent on
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug#698231.
(Sat, 19 Jan 2013 19:48:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>
:
Bug#698231
; Package memcached
.
(Wed, 23 Jan 2013 20:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>
.
(Wed, 23 Jan 2013 20:33:05 GMT) (full text, mbox, link).
Message #37 received at 698231@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 698231 + pending
thanks
Dear maintainer,
I've prepared an NMU for memcached (versioned as 1.4.13-0.2) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[memcached-1.4.13-0.2-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 23 Jan 2013 20:33:07 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Mon, 28 Jan 2013 21:03:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Mon, 28 Jan 2013 21:03:03 GMT) (full text, mbox, link).
Message #44 received at 698231-close@bugs.debian.org (full text, mbox, reply):
Source: memcached
Source-Version: 1.4.13-0.2
We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 698231@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated memcached package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 Jan 2013 21:22:09 +0100
Source: memcached
Binary: memcached
Architecture: source amd64
Version: 1.4.13-0.2
Distribution: unstable
Urgency: low
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
memcached - A high-performance memory object caching system
Closes: 698231
Changes:
memcached (1.4.13-0.2) unstable; urgency=low
.
* Non-maintainer upload.
* Add 05_fix-buffer-overrun_when_logging_keys.patch patch
[SECURITY] CVE-2013-0179: DoS due to buffer overrun when printing out keys
to be deleted in verbose mode. (Closes: #698231).
Checksums-Sha1:
ef93dd68447305b95c54fa73df9f248ae06717e3 1528 memcached_1.4.13-0.2.dsc
082849bf141ac23fc5dfd73acd1b18bd7acd4e88 329382 memcached_1.4.13-0.2.tar.gz
121bf718c3329b6428b0f2e23e9bb7a572968fc9 86682 memcached_1.4.13-0.2_amd64.deb
Checksums-Sha256:
5ec3bf230b941cdda277c772edc2acb6121d63ee52b9eb2f934503871d7e67bc 1528 memcached_1.4.13-0.2.dsc
866818e7889591487012748ec978452460f92afbe14a5902d893a093279ce8a0 329382 memcached_1.4.13-0.2.tar.gz
efe3092e4c597b859c057b26e5a7214cfcae3f743809ec0f4c628394718bb8ae 86682 memcached_1.4.13-0.2_amd64.deb
Files:
f3d6b9893f697dc36e3ff79fb8ca5cc0 1528 web optional memcached_1.4.13-0.2.dsc
c5436366b8fba7a3f7b2e3f6683ae2b7 329382 web optional memcached_1.4.13-0.2.tar.gz
3f3abe02054b0b3bf7a186be489a6812 86682 web optional memcached_1.4.13-0.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJRAEbUAAoJEHidbwV/2GP+q2cQANKtVZ3zFmQRmY9t0DkFHcbU
xo+z9cEG+WW68CxyZIxXsI3nAUMrwGLOTR8CEPnr8MvXMAbiVpw9Nf7kZxarw+PO
iTSLQPKzOM4ny21BNvrRzGbpaP8pJr8853khGd9GFUDiUh91MRr16yZtgX3hkkCp
hXjZCoMEp8fupehSiQga1c9KuVaEb3z3K3RqafJ/mlYKgOpCVP+EDjo7BdOe/oQ/
yABYNhwP/V9FjahmVy8uIz1Md1T8Log0pT15louMhumjBRy2Orkyn6VobOsXe6Ze
Bi+lOmcBpQR5GWv28E6W1zS5Dolsb5GGmnQoM06EIIwH7pqPT2fsQUhDwzxAY9W2
LsLiQjmzYtIb2qcOOjA4v7BQgkk+0YipZI/86+GXroab9z7mKpIRVTO2YsTgGDhL
AZQBbHMwWORXE/O2N2cEr5ZdDw/NMyamsZ9aqjzpePTOim8OuJGlck7kkCK7GgId
bHdduV5HsTsmeT6sdoUhdEMHYhijXyzgE7yb4BCmt3+2pjfR3lJm0jmycClV86Kp
jRT6QOQo31z7fJcT6S+tTnLj2JJ0/x+KDC08MbRma2OCd8hCmxbV+78K7Uy1XRxL
Zu7ElcaoWfzG4sKfAnUSSf9pT2sZsfS7XpoAMhA6vhJHIYvGYYs7iZGhEQOf5H7I
ptHTGcjIc0f/g6RAS4R6
=72gO
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>
:
Bug#698231
; Package memcached
.
(Tue, 29 Jan 2013 12:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>
.
(Tue, 29 Jan 2013 12:18:03 GMT) (full text, mbox, link).
Message #49 received at 698231@bugs.debian.org (full text, mbox, reply):
Package: memcached
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/698231/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 02 Jun 2013 07:47:06 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 31 Dec 2013 07:24:08 GMT) (full text, mbox, link).
Marked as found in versions memcached/1.4.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 31 Dec 2013 07:24:09 GMT) (full text, mbox, link).
Marked as fixed in versions memcached/1.4.5-1+deb6u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 01 Jan 2014 12:03:04 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Thu, 02 Jan 2014 13:51:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Thu, 02 Jan 2014 13:51:10 GMT) (full text, mbox, link).
Message #62 received at 698231-close@bugs.debian.org (full text, mbox, reply):
Source: memcached
Source-Version: 1.4.5-1+deb6u1
We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 698231@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated memcached package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 31 Dec 2013 08:25:46 +0100
Source: memcached
Binary: memcached
Architecture: source amd64
Version: 1.4.5-1+deb6u1
Distribution: squeeze-security
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
memcached - A high-performance memory object caching system
Closes: 698231 706426
Changes:
memcached (1.4.5-1+deb6u1) squeeze-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add 03_fix-buffer-overrun_when_logging_keys.patch patch.
CVE-2013-0179: DoS due to buffer overrun when printing out keys to be
deleted in verbose mode. (Closes: #698231)
* Add 04_CVE-2011-4971.patch.
CVE-2011-4971: Fix remote denial of service. Sending a specially crafted
packet cause memcached to segfault. (Closes: #706426)
Checksums-Sha1:
b89af44ed7177f382fba9d751e8aef3c126f0f87 1712 memcached_1.4.5-1+deb6u1.dsc
c7d6517764b82d23ae2de76b56c2494343c53f02 302516 memcached_1.4.5.orig.tar.gz
3c930d2b7a66b065ada9eb1c46c94c55f5090fde 10965 memcached_1.4.5-1+deb6u1.diff.gz
5eb9a5843333495a5c39fb6fb594a156d009cad9 76622 memcached_1.4.5-1+deb6u1_amd64.deb
Checksums-Sha256:
eff2417dde202b92c51d3f665c3bea6aa6441f7d1d19cc517e6ab250dbc13a3c 1712 memcached_1.4.5-1+deb6u1.dsc
9571b4b85484e46b3b10f07ccba77a1fa97d60660b32859f990effefb3005f91 302516 memcached_1.4.5.orig.tar.gz
05eff830d3f99d76feb247a2267197d71aa6a6e0b98383b1abf258592cf9b6d4 10965 memcached_1.4.5-1+deb6u1.diff.gz
8de46a28eea780382f1614060406cfe70c3c5d67462bdffd2066858b2528ac57 76622 memcached_1.4.5-1+deb6u1_amd64.deb
Files:
4b062f67fa9868b325e3683136ff22ab 1712 web optional memcached_1.4.5-1+deb6u1.dsc
583441a25f937360624024f2881e5ea8 302516 web optional memcached_1.4.5.orig.tar.gz
e9f22698a2d8950f3c8899d36ca4c025 10965 web optional memcached_1.4.5-1+deb6u1.diff.gz
0d466a9ee77d037abb5d8aef2a4e66ff 76622 web optional memcached_1.4.5-1+deb6u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBCgAGBQJSw8vBAAoJEAVMuPMTQ89EjZ8P/iXwKr1qpAuFEfijhmY5wpqH
Jp4BWADkD1jS5zn9ixGGvmB+/oC3fJv0oTrEQZiSV2szhtl81sULkcW3NoL9fVBT
KQFkmKLFDbQlSEd/JMu+4gYoHWjznHzDtS7YEcxBUwYYRcss/K8Jw6KoAbPbPKkp
DN1OHEoZanT7NwAbs7gr0iqFGKbGEBBXF6hDj7xNS+6XwU6a+cWTtB9Ws9uBS0VW
E9KTyz1V3sSUX5oN/Lwwo2NUnIemWonNQCzbO1XXhc2H3EXFYz06wPYuscXokPyb
STnl0A6RmSs+QPkE0gAf60mDFwfa8z+4zWd4RdNn4iucp8cbfQ9c9uQ2PB2LT+I0
Ytp47LcNi9pLShJf9N/g8M8kwChewXy3pClMhBg+WLz/uHW/ahKcbY1HEl3MbIZB
X55DTXrgk5MIxVpeQSVfcWXgAylSD1jf3N8zjnzxznyUz6l0oSISoEGtPADV7MZM
9mGEnws3qcfSfSa/fQlamrZ8TtyIpaFjvYS1urNQxKIoG6EH8mC1k5m9IBk+vT/j
/2Ky9Y1GxKHIxXK8AYVYqZGu+fbritWECdfYQcOsifEUwKaMzspurgjKON8E2PMa
XK2ebxuXLTlnBE+NzBJkW8leZeJOx+vO7MFCgiCW9BWVP6hXmMFWGSyrRzHAeks2
ZPtQjDi5iPu357mKuqzk
=Qrke
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 31 Jan 2014 07:27:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:32:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.