Debian Bug report logs -
#842812
memcached: CVE-2016-8705
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 1 Nov 2016 13:09:02 UTC
Severity: grave
Tags: security, upstream
Found in versions memcached/1.4.31-1, memcached/1.4.21-1.1
Fixed in versions memcached/1.4.13-0.2+deb7u2, memcached/1.4.33-1, memcached/1.4.21-1.1+deb8u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#842812; Package src:memcached.
(Tue, 01 Nov 2016 13:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Martínez Moreno <ender@debian.org>.
(Tue, 01 Nov 2016 13:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: memcached
Version: 1.4.31-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for memcached.
CVE-2016-8705[0]:
Memcached Server Update Remote Code Execution Vulnerability
It is reproducible with the (fixed) reproducer on the TALOS site, when
running under valgrind easily.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-8705
[1] http://www.talosintelligence.com/reports/TALOS-2016-0220/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 Nov 2016 16:03:05 GMT) (full text, mbox, link).
Marked as found in versions memcached/1.4.21-1.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 Nov 2016 16:39:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#842812; Package src:memcached.
(Thu, 03 Nov 2016 02:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Guillaume Delacour <gui@iroqwa.org>:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>.
(Thu, 03 Nov 2016 02:24:04 GMT) (full text, mbox, link).
Message #14 received at 842812@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Fix is the same as #842814.
On Tue, 01 Nov 2016 14:05:19 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: memcached
> Version: 1.4.31-1
> Severity: important
> Tags: security upstream
>
> Hi,
>
> the following vulnerability was published for memcached.
>
> CVE-2016-8705[0]:
> Memcached Server Update Remote Code Execution Vulnerability
>
> It is reproducible with the (fixed) reproducer on the TALOS site, when
> running under valgrind easily.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-8705
> [1] http://www.talosintelligence.com/reports/TALOS-2016-0220/
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
>
--
Guillaume Delacour
[signature.asc (application/pgp-signature, attachment)]
Added blocking bug(s) of 842812: 842814
Request was from gui@iroqwa.org
to control@bugs.debian.org.
(Thu, 03 Nov 2016 02:27:07 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 03 Nov 2016 06:42:06 GMT) (full text, mbox, link).
Marked as fixed in versions memcached/1.4.33-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 05 Nov 2016 09:27:07 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 05 Nov 2016 09:27:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 05 Nov 2016 09:27:08 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#842812.
(Sat, 05 Nov 2016 09:27:12 GMT) (full text, mbox, link).
Message #27 received at 842812-submitter@bugs.debian.org (full text, mbox, reply):
close 842811 1.4.33-1
close 842812 1.4.33-1
close 842814 1.4.33-1
thanks
Marked as fixed in versions memcached/1.4.13-0.2+deb7u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 05 Nov 2016 15:09:06 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 05 Nov 2016 18:51:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 05 Nov 2016 18:51:10 GMT) (full text, mbox, link).
Message #34 received at 842812-close@bugs.debian.org (full text, mbox, reply):
Source: memcached
Source-Version: 1.4.21-1.1+deb8u1
We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 842812@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated memcached package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 01 Nov 2016 22:10:45 +0100
Source: memcached
Binary: memcached
Architecture: source
Version: 1.4.21-1.1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 842811 842812 842814
Description:
memcached - high-performance memory object caching system
Changes:
memcached (1.4.21-1.1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add patch to fix various issues reported by the Cisco TALOS project.
CVE-2016-8704: Server append/prepend remote code execution
CVE-2016-8705: Server update remote code execution
CVE-2016-8706: Server ASL authentication remote code execution
(Closes: #842811, #842812, #842814)
Checksums-Sha1:
efff52441d258bd3ea40596db0091c195bd01cc4 2165 memcached_1.4.21-1.1+deb8u1.dsc
ab10c46dd9f5d4401872d9670e575afa5bc7d66f 345892 memcached_1.4.21.orig.tar.gz
5443fd17f3e633c4e07acbdfc2cde417e7a88d32 15248 memcached_1.4.21-1.1+deb8u1.debian.tar.xz
Checksums-Sha256:
182986df18d19b614f7f6ff67219a6a8652082c4aaa1ab0ac7a2c61be51ba9c6 2165 memcached_1.4.21-1.1+deb8u1.dsc
301ebe41c686fa5c0a8e39cdf49a32f21fcc9357358792216dfb315d16260e8d 345892 memcached_1.4.21.orig.tar.gz
3c257700595f8fdc0e0a93d69051b758484cf2b1c3373314a5426bf3cbbe2e17 15248 memcached_1.4.21-1.1+deb8u1.debian.tar.xz
Files:
ff01e6d85b7c6e035df325d45960950b 2165 web optional memcached_1.4.21-1.1+deb8u1.dsc
28e744a6ad14891443a582e7a8a62cdd 345892 web optional memcached_1.4.21.orig.tar.gz
f28a6b6ec61301cbf053b9c71b5de55c 15248 web optional memcached_1.4.21-1.1+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKPBAEBCgB5BQJYGQYiXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw
NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRFA8
D/9UvHNAjZL8x3GrR9xaafJAro7oDpScB+B9MyikceJwX7luHpGeQkg14OVmqjB8
1tMAF9QNXBj5DwcJR03iriIQ97se7Fi34QoHGdvCQ73AG7DabOIEMKxIhSbwpqfg
Asn8wURTSuYjbKG7QVPyu67iNVi50rwFYtFXiYjR9eKrO3o18YLOTZWfS0A+qu1z
Qtbscp9hJUf0VyJ8Kdxb/Oj4cLIZAuoqUFRpnYh72AxWyElgzHu2ICt8mCnnXGQd
k4aBdVCECgbYfQlsMkcu01yn4oxomPh4K6wBm2X6GLYGeyyrRrP+xYfMPin603Rz
Qfq+4165LY54IxLKzsfNVMFwX4maOLyXElcw/DhNCqIGVQZw5LNDyTJxT29Vxlyw
YPkTy0XTs3u0ybaE2q2TNvuxnVfyhEaPRwLmZoke4gnNTvVfRzGzSfReBpRXYvyt
XYfz1GLlfNXfEi48cuzY6+05pNIqNVSMTHqV46gPMcOveXJq9lbz/8p5ihfx7kZh
zcUWdBcznZ20Qhuwkqk+OPox/5vHkjDUPO7FtHWKgk5U6iXWwpNIJGsnrvmt9KnC
7RRHTcyXFzLKv2Yk0ve+PDIiUAb8kJDunXQgMgpr3yUh0Q+J97rxi0kmGvx1tzaE
/btg1jKzO9qhPpIE8Jj328g5ekCcfUt52c0G5Ga7CSt8OQ==
=7lFk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Dec 2016 07:55:55 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 07 Dec 2016 02:05:23 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 12 Feb 2017 07:26:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:19:03 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon