Debian Bug report logs - #733643
memcached: CVE-2013-7239: SASL authentication allows wrong credentials to access memcache

version graph

Package: memcached; Maintainer for memcached is David Martínez Moreno <ender@debian.org>; Source for memcached is src:memcached.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 30 Dec 2013 16:33:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version memcached/1.4.13-0.2

Fixed in versions memcached/1.4.13-0.2+deb7u1, memcached/1.4.13-0.3

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://code.google.com/p/memcached/issues/detail?id=316

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#733643; Package memcached. (Mon, 30 Dec 2013 16:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Martínez Moreno <ender@debian.org>. (Mon, 30 Dec 2013 16:33:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: memcached: CVE-2013-7239: SASL authentication allows wrong credentials to access memcache
Date: Mon, 30 Dec 2013 17:30:30 +0100
Package: memcached
Version: 1.4.13-0.2
Severity: grave
Tags: security upstream fixed-upstream patch
Control: forwarded -1 https://code.google.com/p/memcached/issues/detail?id=316

Hi

memcached from wheezy on is affected by an authentication bypass issue
when SASL authentication is turned on. Quoting upstream bugreport:

1. Ran memcached server with following flags -S -d -m 1024 0.0.0.0 -p
   11211 -u ubuntu
2. Add user with saslpasswd2 -a memcached -c newuser
3. Pointed cached store: dalli_store, 'domain.com:11211', { :username => newuser, :password *** } (  I am using dalli gem in Rails application)
4. When I try to access memcache with wrong credentials, on the first
   try I get message that authentication failed, which is fine. But, when
   I try again to access the cache it lets me do it even I have provided
   wrong credentials.

This is reported upstream as [1]. Upstream has commited a patch to
resolve this issue at [2]. The testsuite addition demostrates the
probelm as well.

CVE-2013-7239 is assigned for this issue.

 [1] https://code.google.com/p/memcached/issues/detail?id=316
 [2] https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32

Regards,
Salvatore



Set Bug forwarded-to-address to 'https://code.google.com/p/memcached/issues/detail?id=316'. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Mon, 30 Dec 2013 16:33:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#733643; Package memcached. (Mon, 30 Dec 2013 17:03:22 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>. (Mon, 30 Dec 2013 17:03:22 GMT) Full text and rfc822 format available.

Message #12 received at 733643@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 733643@bugs.debian.org, 706426@bugs.debian.org
Subject: memcached: diff for NMU version 1.4.13-0.3
Date: Mon, 30 Dec 2013 18:00:38 +0100
[Message part 1 (text/plain, inline)]
Hi

Attached is a preliminary debdiff for fixing both issues.

Regards,
Salvatore
[memcached-1.4.13-0.3-nmu.diff (text/x-diff, attachment)]

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to 706426-submit@bugs.debian.org. (Wed, 01 Jan 2014 14:42:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, David Martínez Moreno <ender@debian.org>:
Bug#733643; Package memcached. (Wed, 01 Jan 2014 14:42:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to David Martínez Moreno <ender@debian.org>. (Wed, 01 Jan 2014 14:42:09 GMT) Full text and rfc822 format available.

Message #19 received at 733643@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 706426@bugs.debian.org, 733643@bugs.debian.org
Subject: memcached: diff for NMU version 1.4.13-0.3
Date: Wed, 1 Jan 2014 15:39:34 +0100
[Message part 1 (text/plain, inline)]
Control: tags 706426 + patch pending
Control: tags 733643 + patch pending

Dear maintainer,

I've prepared an NMU for memcached (versioned as 1.4.13-0.3) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
[memcached-1.4.13-0.3-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Wed, 01 Jan 2014 21:48:25 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 01 Jan 2014 21:48:25 GMT) Full text and rfc822 format available.

Message #24 received at 733643-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 733643-close@bugs.debian.org
Subject: Bug#733643: fixed in memcached 1.4.13-0.2+deb7u1
Date: Wed, 01 Jan 2014 21:47:14 +0000
Source: memcached
Source-Version: 1.4.13-0.2+deb7u1

We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 733643@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Dec 2013 17:47:44 +0100
Source: memcached
Binary: memcached
Architecture: source amd64
Version: 1.4.13-0.2+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 memcached  - A high-performance memory object caching system
Closes: 706426 733643
Changes: 
 memcached (1.4.13-0.2+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add 06_CVE-2011-4971.patch patch.
     CVE-2011-4971: Fix remote denial of service. Sending a specially
     crafted packet cause memcached to segfault. (Closes: #706426)
   * Add 07_CVE-2013-7239.patch patch.
     CVE-2013-7239: SASL authentication allows wrong credentials to access
     memcache. (Closes: #733643)
Checksums-Sha1: 
 644a6d5069a743764e43e5fbecd48ef7a67ff478 1806 memcached_1.4.13-0.2+deb7u1.dsc
 d9a48d222de53a2603fbab6156d48d0e8936ee92 320751 memcached_1.4.13.orig.tar.gz
 08a85a892d0fb0f45e3f35180829582af2c36de3 13967 memcached_1.4.13-0.2+deb7u1.diff.gz
 3d13843a773754c684d84e6754f382362b76322d 87758 memcached_1.4.13-0.2+deb7u1_amd64.deb
Checksums-Sha256: 
 1af5edec8ebf93af2a28a6df484f42e41a3973a90d3689f71cc092ef2d73c1b1 1806 memcached_1.4.13-0.2+deb7u1.dsc
 cb0b8b87aa57890d2327906a11f2f1b61b8d870c0885b54c61ca46f954f27e29 320751 memcached_1.4.13.orig.tar.gz
 e987f888ba1745cdf6ce604197234cffcaabec338790dabeed1c4a2bc3395e41 13967 memcached_1.4.13-0.2+deb7u1.diff.gz
 99a2572e72f8708453ac949c11ee74278dafc7a9ed04a3db3dce583c698b8ad1 87758 memcached_1.4.13-0.2+deb7u1_amd64.deb
Files: 
 11e442648b3ca4d3b7108e9e26677288 1806 web optional memcached_1.4.13-0.2+deb7u1.dsc
 6d18c6d25da945442fcc1187b3b63b7f 320751 web optional memcached_1.4.13.orig.tar.gz
 177d6c2ea9e0dc555c0b18d49b4f3b6d 13967 web optional memcached_1.4.13-0.2+deb7u1.diff.gz
 ec7acfae73fa674b473b37ed45f9a8b1 87758 web optional memcached_1.4.13-0.2+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSwgiZAAoJEAVMuPMTQ89EB6kP/jFw6pADqy/JCWlcc9Uw0C2t
2Slfmwl6KeazFn0xka+gOYda9sq4cpL12ysaystysjVzsrvDYxmRU5WNYj+YydUO
EKZlZIpOTAb4fqU4ktju/ee/5+zMhxFt34pgrrkYGIMOuc+b8X/g/EUYdUfidXx4
afK4966TQDxULbnCEy+6j1jD2PGyn4nv+GEdbc7g3Pj+P/zk5u1/3r4IdS6+XRP9
rLKzSLHxEl6BVEAY2BLC/N8XLBEmjOZaz5CjyjjEsDnRYqlrXycCivfQeuFYdlqk
CS4oLJbjS32W8dL0sQluLd9+P3rT29CPc20gKdK7iEsbzUiXFUhzM1iArfaLSBjc
cLmLhXLhbhci9EC+3jNybIA0c3Yyrd3LdfKF5qSWno2Wwf9IXVSURUl1y7OmwMmX
c8jtcw1qI9Kq7ETHbJP2mcNtlWK0ARSC0WytAHTAl5AmWvJGbwTV1v4cJDeA0DT0
bUrB7vG38kNX94mwLO7zz3X4A08NYUlNq1HgL6GOZoIRXFeWbRCa1GG9GSxxNXkY
NDiqomqyd7Cw1BuQtRoE79ZGm3/oZ9kuOtePKSazV0DhCZYFdUG+G/GJmZ6RgoX4
raKOJbm7yMseOaMLRODHgR5YhpW70MHSna98k3QpZco3nw/8sQeM2lklWC047ZcI
rYgylah/DqrJDiBCm/yt
=4Jji
-----END PGP SIGNATURE-----




Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Fri, 03 Jan 2014 15:24:09 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 03 Jan 2014 15:24:09 GMT) Full text and rfc822 format available.

Message #29 received at 733643-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 733643-close@bugs.debian.org
Subject: Bug#733643: fixed in memcached 1.4.13-0.3
Date: Fri, 03 Jan 2014 15:22:20 +0000
Source: memcached
Source-Version: 1.4.13-0.3

We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 733643@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated memcached package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Dec 2013 17:47:44 +0100
Source: memcached
Binary: memcached
Architecture: source amd64
Version: 1.4.13-0.3
Distribution: unstable
Urgency: high
Maintainer: David Martínez Moreno <ender@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 memcached  - A high-performance memory object caching system
Closes: 706426 733643
Changes: 
 memcached (1.4.13-0.3) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add 06_CVE-2011-4971.patch patch.
     CVE-2011-4971: Fix remote denial of service. Sending a specially
     crafted packet cause memcached to segfault. (Closes: #706426)
   * Add 07_CVE-2013-7239.patch patch.
     CVE-2013-7239: SASL authentication allows wrong credentials to access
     memcache. (Closes: #733643)
Checksums-Sha1: 
 1a470c770a3766e7abe35cbc4fda1184439f4a82 1778 memcached_1.4.13-0.3.dsc
 d9a48d222de53a2603fbab6156d48d0e8936ee92 320751 memcached_1.4.13.orig.tar.gz
 e810be36f9f75c5cf477d726ddfe8ad87eacf183 13906 memcached_1.4.13-0.3.diff.gz
 bdbc24572e201711871992c5d8783faf0b669e7d 77622 memcached_1.4.13-0.3_amd64.deb
Checksums-Sha256: 
 87c81faccf611b7e39e7464ed217ed1e6a3ce36631ede820b63b765a549ad2c3 1778 memcached_1.4.13-0.3.dsc
 cb0b8b87aa57890d2327906a11f2f1b61b8d870c0885b54c61ca46f954f27e29 320751 memcached_1.4.13.orig.tar.gz
 45760a8dfffc672aad948aace33b87c2ebe7a2934d5f0d096458be99ac62c970 13906 memcached_1.4.13-0.3.diff.gz
 dc82c7c203677a2009dcbab978a42fee9c0548f3a3f36a08d5c8465c3c96fbde 77622 memcached_1.4.13-0.3_amd64.deb
Files: 
 a8e1422ac7dc84748fd216f348314a72 1778 web optional memcached_1.4.13-0.3.dsc
 6d18c6d25da945442fcc1187b3b63b7f 320751 web optional memcached_1.4.13.orig.tar.gz
 6c1f14b699cc5e962781b61da3773067 13906 web optional memcached_1.4.13-0.3.diff.gz
 6bcc195d2eff12e2c3f82cfdd6c01c71 77622 web optional memcached_1.4.13-0.3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSxCeyAAoJEAVMuPMTQ89E1RwP/1xAt2C9bBWCtIo2wS/Vkt3g
c67K3yVS+oFiAUj068Z0/rWfvnZcfAR8mG9Mu8eBD5AMrJES9XLBU1ZWOHKTmaqr
CLFVOhbn8AS5CadkJ5VpCV56ISbXrVlsxRgmfzKhIObOseNFC/Alt2c7GC7fM7Bj
57mcEof41LHNso19g3by/WV4vI33CGCZ2NGobF+VzBw0lKu3mVDbayEQ2HR2MAnw
8P3yVqkmMJ43UNqn6dBAru/IVsb3zfW/GNF1XS8bGwzTRVSj4/nzYHvyUuLjL0A6
Db2Bc5SBwPbQIX3CalAKCCX85DwgvV1LQZDuD+cbwWLSlHH+wWPTqhPU+y2Q26BO
Pjf1kJ/+ZIls5Pt2zX4d2Y5ufgoAxbdCQjuhDt91LQYMLM4Oy3YMId7GkCzEgxTi
lfHeF2/walrig2U4DrJwQmvoASM6ng9PZH4G9aI5lS7ZuSJ4DL3972WVauDg326k
CYYGY8W0t+54qLYvtjH4Dh3vV4rKXYEFQglqOvbxjCWisLKtWNHQPPTjUevLCNcS
NigGKJCM45KlZ4bndkNJk6UXQDX5hYcFhEYvChgxN1eE6bYWUIgw2HBMz+3p1ETD
pYxw6c/MpHF40L6hdUfK6ERyJnCa91XhyyBZtIrrWjSncG4q+KTJujNo5pLxAd2z
X8ie2PQA25PCsPpnonuY
=hiUH
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Feb 2014 07:30:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 15:54:54 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.