Bug#579913: marked as done (CVE-2010-1152: denial of service (daemon hang or crash))

[Debian Bug Tracking System]

Your message dated Wed, 12 May 2010 10:02:29 +0000
with message-id <e1oc8lp-0003uc...@ries.debian.org>
and subject line Bug#579913: fixed in memcached 1.4.5-1
has caused the Debian Bug report #579913,
regarding CVE-2010-1152: denial of service (daemon hang or crash)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
579913: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579913
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: memcached
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for memcached.

CVE-2010-1152[0]:
| memcached.c in memcached before 1.4.3 allows remote attackers to cause
| a denial of service (daemon hang or crash) via a long line that
| triggers excessive memory allocation.  NOTE: some of these details are
| obtained from third party information.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1152
    http://security-tracker.debian.org/tracker/CVE-2010-1152

    
http://github.com/memcached/memcached/commit/75cc83685e103bc8ba380a57468c8f04413033f9
    
http://github.com/memcached/memcached/commit/d9cd01ede97f4145af9781d448c62a3318952719

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvdRm4ACgkQNxpp46476apZygCeNVAwaPbcT+URQmPbber2zgGG
i/sAnR7fPheTXOk3NbIvwTdqQ2FWB7s2
=QfvN
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: memcached
Source-Version: 1.4.5-1

We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive:

memcached_1.4.5-1.diff.gz
  to main/m/memcached/memcached_1.4.5-1.diff.gz
memcached_1.4.5-1.dsc
  to main/m/memcached/memcached_1.4.5-1.dsc
memcached_1.4.5-1_amd64.deb
  to main/m/memcached/memcached_1.4.5-1_amd64.deb
memcached_1.4.5.orig.tar.gz
  to main/m/memcached/memcached_1.4.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 579...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
David Martínez Moreno <en...@debian.org> (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 12 May 2010 11:41:22 +0200
Source: memcached
Binary: memcached
Architecture: source amd64
Version: 1.4.5-1
Distribution: unstable
Urgency: high
Maintainer: David Martínez Moreno <en...@debian.org>
Changed-By: David Martínez Moreno <en...@debian.org>
Description: 
 memcached  - A high-performance memory object caching system
Closes: 565033 579913
Changes: 
 memcached (1.4.5-1) unstable; urgency=high
 .
   * New upstream release.  Main changes since 1.4.2 are:
     New features:
     - Support for SASL authentication.
     - New script damemtop - a memcached top.
     - Slab optimizations.
     - New stats, for reclaimed memory and SASL events.
     Bugs fixed:
     - Malicious input can crash server (CVE-2010-1152).  Closes: #579913.
     - Fixed several problems with slab handling and growth.
     - Provide better error reporting.
     - Fix get stats accounting.
     - Fixed backwards compatibility with delete 0.
     - Documentation fixes.
     - Various build fixes, among others, fixed FTBFS with gcc-4.5 (closes:
       #565033).
   * Refreshed and renamed 01_init_script_compliant_with_LSB.patch.
   * Fixed lintian warnings by adding $remote_fs to init.d script.
   * Removed non-existent document (doc/memory_management.txt).
   * debian/control: Bumped Standards-Version to 3.8.4 (no changes).
   *
Checksums-Sha1: 
 3dba42339edaac1a355aa61b4f47f5cb36876b90 1041 memcached_1.4.5-1.dsc
 c7d6517764b82d23ae2de76b56c2494343c53f02 302516 memcached_1.4.5.orig.tar.gz
 5c68e4b43bc6e24cf5a52e3fce54df224b4e934f 9445 memcached_1.4.5-1.diff.gz
 42fb174144b264953eb2a2706bdc7dc02f55d956 75530 memcached_1.4.5-1_amd64.deb
Checksums-Sha256: 
 f827518f0883fd4f50dcdfbc9b7314df02813a6a25d8a5dc9875faa9e9c49683 1041 
memcached_1.4.5-1.dsc
 9571b4b85484e46b3b10f07ccba77a1fa97d60660b32859f990effefb3005f91 302516 
memcached_1.4.5.orig.tar.gz
 3106034c488ef583bcb547f738a0be451394607c507e7016b302d2eece02f1f7 9445 
memcached_1.4.5-1.diff.gz
 67202ca1e69ad89dd0051a33b2a941ffb237403d7f1c9c86ec33face5be48d86 75530 
memcached_1.4.5-1_amd64.deb
Files: 
 216d3a0112ae1570ad2091b421812e1f 1041 web optional memcached_1.4.5-1.dsc
 583441a25f937360624024f2881e5ea8 302516 web optional 
memcached_1.4.5.orig.tar.gz
 713dbcdc51d2f5a6d10101f802e431bb 9445 web optional memcached_1.4.5-1.diff.gz
 906c9d81cf184303b15ab8bd892352b4 75530 web optional memcached_1.4.5-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvqd+kACgkQWs/EhA1iABvPsgCg5979b2DcM3z2SeWQ+9VnWki2
7uoAoKGAT/RNg1YNl114k5cfC9ACyF7Q
=Z5oG
-----END PGP SIGNATURE-----

--- End Message ---