Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 677
    • Issues 677
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 214
    • Merge Requests 214
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #2625

Closed
Open
Opened Feb 04, 2014 by Alexander Belous@belousa

[v2.4] memcached: remote DoS (CVE-2013-0179 CVE-2013-7239 CVE-2013-7290 CVE-2013-7291)

The process_bin_delete function in memcached.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr (CVE-2013-0179).

memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials (CVE-2013-7239).

The do_item_get function in items.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr, a different vulnerability than CVE-2013-0179 (CVE-2013-7290).

memcached before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (crash) via a request that triggers an unbounded key print during logging, related to an issue that was quickly grepped out of the source tree, a different vulnerability than CVE-2013-0179 and CVE-2013-7290 (CVE-2013-7291).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7239
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7290
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7291
https://code.google.com/p/memcached/wiki/ReleaseNotes1417

(from redmine: issue id 2625, created on 2014-02-04, closed on 2014-04-18)

  • Relations:
    • parent #2624 (closed)
  • Changesets:
    • Revision 4f87afbb by Natanael Copa on 2014-04-17T11:30:01Z:
main/memcached: security upgrade to 1.4.17 (CVE-2013-0179,CVE-2013-7239,CVE-2013-7290,CVE-2013-7291)

fixes #2625

(cherry picked from commit 01c5af01dadb92ad64c468444fcd4b58e00ccdc9)

Conflicts:

	main/memcached/APKBUILD
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
Alpine 2.4.12
Milestone
Alpine 2.4.12 (Past due)
Assign milestone
Time tracking
None
Due date
None
Reference: alpine/aports#2625