exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2014-010

Mandriva Linux Security Advisory 2014-010
Posted Jan 17, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-010 - Multiple vulnerabilities has been discovered and corrected in memcached. The process_bin_delete function in memcached.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr. memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials. Various other issues have also been addressed.

tags | advisory, remote, denial of service, vulnerability
systems | linux, mandriva
advisories | CVE-2013-0179, CVE-2013-7239, CVE-2013-7290, CVE-2013-7291
SHA-256 | 56e23873dfb9810e91b41765d15d9e18cafd0f9578ff6c5806a952a61bf20fc8

Mandriva Linux Security Advisory 2014-010

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:010
https://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : memcached
Date : January 17, 2014
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in
memcached:

The process_bin_delete function in memcached.c in memcached 1.4.4 and
other versions before 1.4.17, when running in verbose mode, allows
remote attackers to cause a denial of service (segmentation fault)
via a request to delete a key, which does not account for the lack
of a null terminator in the key and triggers a buffer over-read when
printing to stderr (CVE-2013-0179).

memcached before 1.4.17 allows remote attackers to bypass
authentication by sending an invalid request with SASL credentials,
then sending another request with incorrect SASL credentials
(CVE-2013-7239).

The do_item_get function in items.c in memcached 1.4.4 and other
versions before 1.4.17, when running in verbose mode, allows remote
attackers to cause a denial of service (segmentation fault) via a
request to delete a key, which does not account for the lack of a null
terminator in the key and triggers a buffer over-read when printing to
stderr, a different vulnerability than CVE-2013-0179 (CVE-2013-7290).

memcached before 1.4.17, when running in verbose mode, allows
remote attackers to cause a denial of service (crash) via a request
that triggers an unbounded key print during logging, related to an
issue that was quickly grepped out of the source tree, a different
vulnerability than CVE-2013-0179 and CVE-2013-7290 (CVE-2013-7291).

The updated packages have been upgraded to the 1.4.17 version which
is unaffected by these issues.
_______________________________________________________________________

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7239
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7290
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7291
https://code.google.com/p/memcached/wiki/ReleaseNotes1417
_______________________________________________________________________

Updated Packages:

Mandriva Enterprise Server 5:
a16c2422bfa525dbbaaf53a1947eb857 mes5/i586/memcached-1.4.17-0.1mdvmes5.2.i586.rpm
bb30dd36547f39e0cc197e3286882c62 mes5/i586/memcached-devel-1.4.17-0.1mdvmes5.2.i586.rpm
ef22bb85c812d510bde6110098a38f01 mes5/SRPMS/memcached-1.4.17-0.1mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
74c7f0f6ece79b4cbe924c8d41670d7a mes5/x86_64/memcached-1.4.17-0.1mdvmes5.2.x86_64.rpm
a4b21173b04c8944067f34870b948fba mes5/x86_64/memcached-devel-1.4.17-0.1mdvmes5.2.x86_64.rpm
ef22bb85c812d510bde6110098a38f01 mes5/SRPMS/memcached-1.4.17-0.1mdvmes5.2.src.rpm

Mandriva Business Server 1/X86_64:
8035d2870bcd192b1c6b6419256e4714 mbs1/x86_64/memcached-1.4.17-1.mbs1.x86_64.rpm
5343cfb775b8adc04760f6b5717aa4ce mbs1/x86_64/memcached-devel-1.4.17-1.mbs1.x86_64.rpm
d7a230375722086b5419ca49544de75c mbs1/SRPMS/memcached-1.4.17-1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

https://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFS2Q5omqjQ0CJFipgRAmQPAKCpbbljUvxwXBSzyzSuIAq56bRBygCdH1E6
0mBdsWBHW14kxDPmOwU604Y=
=qOuN
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close