Your message dated Wed, 01 Jan 2014 21:47:14 +0000 with message-id <e1vytdc-0005kd...@franck.debian.org> and subject line Bug#733643: fixed in memcached 1.4.13-0.2+deb7u1 has caused the Debian Bug report #733643, regarding memcached: CVE-2013-7239: SASL authentication allows wrong credentials to access memcache to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 733643: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733643 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: memcached Version: 1.4.13-0.2 Severity: grave Tags: security upstream fixed-upstream patch Control: forwarded -1 https://code.google.com/p/memcached/issues/detail?id=316 Hi memcached from wheezy on is affected by an authentication bypass issue when SASL authentication is turned on. Quoting upstream bugreport: 1. Ran memcached server with following flags -S -d -m 1024 0.0.0.0 -p 11211 -u ubuntu 2. Add user with saslpasswd2 -a memcached -c newuser 3. Pointed cached store: dalli_store, 'domain.com:11211', { :username => newuser, :password *** } ( I am using dalli gem in Rails application) 4. When I try to access memcache with wrong credentials, on the first try I get message that authentication failed, which is fine. But, when I try again to access the cache it lets me do it even I have provided wrong credentials. This is reported upstream as [1]. Upstream has commited a patch to resolve this issue at [2]. The testsuite addition demostrates the probelm as well. CVE-2013-7239 is assigned for this issue. [1] https://code.google.com/p/memcached/issues/detail?id=316 [2] https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: memcached Source-Version: 1.4.13-0.2+deb7u1 We believe that the bug you reported is fixed in the latest version of memcached, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 733...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated memcached package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 30 Dec 2013 17:47:44 +0100 Source: memcached Binary: memcached Architecture: source amd64 Version: 1.4.13-0.2+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: David MartÃnez Moreno <en...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: memcached - A high-performance memory object caching system Closes: 706426 733643 Changes: memcached (1.4.13-0.2+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 06_CVE-2011-4971.patch patch. CVE-2011-4971: Fix remote denial of service. Sending a specially crafted packet cause memcached to segfault. (Closes: #706426) * Add 07_CVE-2013-7239.patch patch. CVE-2013-7239: SASL authentication allows wrong credentials to access memcache. (Closes: #733643) Checksums-Sha1: 644a6d5069a743764e43e5fbecd48ef7a67ff478 1806 memcached_1.4.13-0.2+deb7u1.dsc d9a48d222de53a2603fbab6156d48d0e8936ee92 320751 memcached_1.4.13.orig.tar.gz 08a85a892d0fb0f45e3f35180829582af2c36de3 13967 memcached_1.4.13-0.2+deb7u1.diff.gz 3d13843a773754c684d84e6754f382362b76322d 87758 memcached_1.4.13-0.2+deb7u1_amd64.deb Checksums-Sha256: 1af5edec8ebf93af2a28a6df484f42e41a3973a90d3689f71cc092ef2d73c1b1 1806 memcached_1.4.13-0.2+deb7u1.dsc cb0b8b87aa57890d2327906a11f2f1b61b8d870c0885b54c61ca46f954f27e29 320751 memcached_1.4.13.orig.tar.gz e987f888ba1745cdf6ce604197234cffcaabec338790dabeed1c4a2bc3395e41 13967 memcached_1.4.13-0.2+deb7u1.diff.gz 99a2572e72f8708453ac949c11ee74278dafc7a9ed04a3db3dce583c698b8ad1 87758 memcached_1.4.13-0.2+deb7u1_amd64.deb Files: 11e442648b3ca4d3b7108e9e26677288 1806 web optional memcached_1.4.13-0.2+deb7u1.dsc 6d18c6d25da945442fcc1187b3b63b7f 320751 web optional memcached_1.4.13.orig.tar.gz 177d6c2ea9e0dc555c0b18d49b4f3b6d 13967 web optional memcached_1.4.13-0.2+deb7u1.diff.gz ec7acfae73fa674b473b37ed45f9a8b1 87758 web optional memcached_1.4.13-0.2+deb7u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSwgiZAAoJEAVMuPMTQ89EB6kP/jFw6pADqy/JCWlcc9Uw0C2t 2Slfmwl6KeazFn0xka+gOYda9sq4cpL12ysaystysjVzsrvDYxmRU5WNYj+YydUO EKZlZIpOTAb4fqU4ktju/ee/5+zMhxFt34pgrrkYGIMOuc+b8X/g/EUYdUfidXx4 afK4966TQDxULbnCEy+6j1jD2PGyn4nv+GEdbc7g3Pj+P/zk5u1/3r4IdS6+XRP9 rLKzSLHxEl6BVEAY2BLC/N8XLBEmjOZaz5CjyjjEsDnRYqlrXycCivfQeuFYdlqk CS4oLJbjS32W8dL0sQluLd9+P3rT29CPc20gKdK7iEsbzUiXFUhzM1iArfaLSBjc cLmLhXLhbhci9EC+3jNybIA0c3Yyrd3LdfKF5qSWno2Wwf9IXVSURUl1y7OmwMmX c8jtcw1qI9Kq7ETHbJP2mcNtlWK0ARSC0WytAHTAl5AmWvJGbwTV1v4cJDeA0DT0 bUrB7vG38kNX94mwLO7zz3X4A08NYUlNq1HgL6GOZoIRXFeWbRCa1GG9GSxxNXkY NDiqomqyd7Cw1BuQtRoE79ZGm3/oZ9kuOtePKSazV0DhCZYFdUG+G/GJmZ6RgoX4 raKOJbm7yMseOaMLRODHgR5YhpW70MHSna98k3QpZco3nw/8sQeM2lklWC047ZcI rYgylah/DqrJDiBCm/yt =4Jji -----END PGP SIGNATURE-----
--- End Message ---
