Your message dated Fri, 03 Jan 2014 15:22:20 +0000 with message-id <e1vz6zo-0007uh...@franck.debian.org> and subject line Bug#733643: fixed in memcached 1.4.13-0.3 has caused the Debian Bug report #733643, regarding memcached: CVE-2013-7239: SASL authentication allows wrong credentials to access memcache to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 733643: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733643 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: memcached Version: 1.4.13-0.2 Severity: grave Tags: security upstream fixed-upstream patch Control: forwarded -1 https://code.google.com/p/memcached/issues/detail?id=316 Hi memcached from wheezy on is affected by an authentication bypass issue when SASL authentication is turned on. Quoting upstream bugreport: 1. Ran memcached server with following flags -S -d -m 1024 0.0.0.0 -p 11211 -u ubuntu 2. Add user with saslpasswd2 -a memcached -c newuser 3. Pointed cached store: dalli_store, 'domain.com:11211', { :username => newuser, :password *** } ( I am using dalli gem in Rails application) 4. When I try to access memcache with wrong credentials, on the first try I get message that authentication failed, which is fine. But, when I try again to access the cache it lets me do it even I have provided wrong credentials. This is reported upstream as [1]. Upstream has commited a patch to resolve this issue at [2]. The testsuite addition demostrates the probelm as well. CVE-2013-7239 is assigned for this issue. [1] https://code.google.com/p/memcached/issues/detail?id=316 [2] https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: memcached Source-Version: 1.4.13-0.3 We believe that the bug you reported is fixed in the latest version of memcached, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 733...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated memcached package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 30 Dec 2013 17:47:44 +0100 Source: memcached Binary: memcached Architecture: source amd64 Version: 1.4.13-0.3 Distribution: unstable Urgency: high Maintainer: David MartÃnez Moreno <en...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: memcached - A high-performance memory object caching system Closes: 706426 733643 Changes: memcached (1.4.13-0.3) unstable; urgency=high . * Non-maintainer upload. * Add 06_CVE-2011-4971.patch patch. CVE-2011-4971: Fix remote denial of service. Sending a specially crafted packet cause memcached to segfault. (Closes: #706426) * Add 07_CVE-2013-7239.patch patch. CVE-2013-7239: SASL authentication allows wrong credentials to access memcache. (Closes: #733643) Checksums-Sha1: 1a470c770a3766e7abe35cbc4fda1184439f4a82 1778 memcached_1.4.13-0.3.dsc d9a48d222de53a2603fbab6156d48d0e8936ee92 320751 memcached_1.4.13.orig.tar.gz e810be36f9f75c5cf477d726ddfe8ad87eacf183 13906 memcached_1.4.13-0.3.diff.gz bdbc24572e201711871992c5d8783faf0b669e7d 77622 memcached_1.4.13-0.3_amd64.deb Checksums-Sha256: 87c81faccf611b7e39e7464ed217ed1e6a3ce36631ede820b63b765a549ad2c3 1778 memcached_1.4.13-0.3.dsc cb0b8b87aa57890d2327906a11f2f1b61b8d870c0885b54c61ca46f954f27e29 320751 memcached_1.4.13.orig.tar.gz 45760a8dfffc672aad948aace33b87c2ebe7a2934d5f0d096458be99ac62c970 13906 memcached_1.4.13-0.3.diff.gz dc82c7c203677a2009dcbab978a42fee9c0548f3a3f36a08d5c8465c3c96fbde 77622 memcached_1.4.13-0.3_amd64.deb Files: a8e1422ac7dc84748fd216f348314a72 1778 web optional memcached_1.4.13-0.3.dsc 6d18c6d25da945442fcc1187b3b63b7f 320751 web optional memcached_1.4.13.orig.tar.gz 6c1f14b699cc5e962781b61da3773067 13906 web optional memcached_1.4.13-0.3.diff.gz 6bcc195d2eff12e2c3f82cfdd6c01c71 77622 web optional memcached_1.4.13-0.3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBCgAGBQJSxCeyAAoJEAVMuPMTQ89E1RwP/1xAt2C9bBWCtIo2wS/Vkt3g c67K3yVS+oFiAUj068Z0/rWfvnZcfAR8mG9Mu8eBD5AMrJES9XLBU1ZWOHKTmaqr CLFVOhbn8AS5CadkJ5VpCV56ISbXrVlsxRgmfzKhIObOseNFC/Alt2c7GC7fM7Bj 57mcEof41LHNso19g3by/WV4vI33CGCZ2NGobF+VzBw0lKu3mVDbayEQ2HR2MAnw 8P3yVqkmMJ43UNqn6dBAru/IVsb3zfW/GNF1XS8bGwzTRVSj4/nzYHvyUuLjL0A6 Db2Bc5SBwPbQIX3CalAKCCX85DwgvV1LQZDuD+cbwWLSlHH+wWPTqhPU+y2Q26BO Pjf1kJ/+ZIls5Pt2zX4d2Y5ufgoAxbdCQjuhDt91LQYMLM4Oy3YMId7GkCzEgxTi lfHeF2/walrig2U4DrJwQmvoASM6ng9PZH4G9aI5lS7ZuSJ4DL3972WVauDg326k CYYGY8W0t+54qLYvtjH4Dh3vV4rKXYEFQglqOvbxjCWisLKtWNHQPPTjUevLCNcS NigGKJCM45KlZ4bndkNJk6UXQDX5hYcFhEYvChgxN1eE6bYWUIgw2HBMz+3p1ETD pYxw6c/MpHF40L6hdUfK6ERyJnCa91XhyyBZtIrrWjSncG4q+KTJujNo5pLxAd2z X8ie2PQA25PCsPpnonuY =hiUH -----END PGP SIGNATURE-----
--- End Message ---
