memcached-1.4.33-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10021-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z memcached-1.4.33-1.1 on GA media These are all security issues fixed in the memcached-1.4.33-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10021 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-1494/ SUSE CVE CVE-2009-1494 page https://www.suse.com/security/cve/CVE-2011-4971/ SUSE CVE CVE-2011-4971 page https://www.suse.com/security/cve/CVE-2013-0179/ SUSE CVE CVE-2013-0179 page https://www.suse.com/security/cve/CVE-2013-7239/ SUSE CVE CVE-2013-7239 page https://www.suse.com/security/cve/CVE-2013-7290/ SUSE CVE CVE-2013-7290 page https://www.suse.com/security/cve/CVE-2013-7291/ SUSE CVE CVE-2013-7291 page https://www.suse.com/security/cve/CVE-2016-8704/ SUSE CVE CVE-2016-8704 page https://www.suse.com/security/cve/CVE-2016-8705/ SUSE CVE CVE-2016-8705 page https://www.suse.com/security/cve/CVE-2016-8706/ SUSE CVE CVE-2016-8706 page openSUSE Tumbleweed memcached-1.4.33-1.1 memcached-devel-1.4.33-1.1 memcached-1.4.33-1.1 as a component of openSUSE Tumbleweed memcached-devel-1.4.33-1.1 as a component of openSUSE Tumbleweed The process_stat function in Memcached 1.2.8 discloses memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain potentially sensitive information by sending this command to the daemon's TCP port. CVE-2009-1494 openSUSE Tumbleweed:memcached-1.4.33-1.1 openSUSE Tumbleweed:memcached-devel-1.4.33-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-1494.html CVE-2009-1494 https://bugzilla.suse.com/501656 SUSE Bug 501656 Multiple integer signedness errors in the (1) process_bin_sasl_auth, (2) process_bin_complete_sasl_auth, (3) process_bin_update, and (4) process_bin_append_prepend functions in Memcached 1.4.5 and earlier allow remote attackers to cause a denial of service (crash) via a large body length value in a packet. CVE-2011-4971 openSUSE Tumbleweed:memcached-1.4.33-1.1 openSUSE Tumbleweed:memcached-devel-1.4.33-1.1 low 1.8 AV:A/AC:H/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-4971.html CVE-2011-4971 https://bugzilla.suse.com/817781 SUSE Bug 817781 The process_bin_delete function in memcached.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr. CVE-2013-0179 openSUSE Tumbleweed:memcached-1.4.33-1.1 openSUSE Tumbleweed:memcached-devel-1.4.33-1.1 low 1.8 AV:A/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-0179.html CVE-2013-0179 https://bugzilla.suse.com/798458 SUSE Bug 798458 memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials. CVE-2013-7239 openSUSE Tumbleweed:memcached-1.4.33-1.1 openSUSE Tumbleweed:memcached-devel-1.4.33-1.1 moderate 4.8 AV:A/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-7239.html CVE-2013-7239 https://bugzilla.suse.com/857188 SUSE Bug 857188 The do_item_get function in items.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr, a different vulnerability than CVE-2013-0179. CVE-2013-7290 openSUSE Tumbleweed:memcached-1.4.33-1.1 openSUSE Tumbleweed:memcached-devel-1.4.33-1.1 low 1.8 AV:A/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-7290.html CVE-2013-7290 https://bugzilla.suse.com/858677 SUSE Bug 858677 memcached before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (crash) via a request that triggers an "unbounded key print" during logging, related to an issue that was "quickly grepped out of the source tree," a different vulnerability than CVE-2013-0179 and CVE-2013-7290. CVE-2013-7291 openSUSE Tumbleweed:memcached-1.4.33-1.1 openSUSE Tumbleweed:memcached-devel-1.4.33-1.1 low 1.8 AV:A/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-7291.html CVE-2013-7291 https://bugzilla.suse.com/858676 SUSE Bug 858676 An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution. CVE-2016-8704 openSUSE Tumbleweed:memcached-1.4.33-1.1 openSUSE Tumbleweed:memcached-devel-1.4.33-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8704.html CVE-2016-8704 https://bugzilla.suse.com/1007719 SUSE Bug 1007719 https://bugzilla.suse.com/1007866 SUSE Bug 1007866 https://bugzilla.suse.com/1007871 SUSE Bug 1007871 Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution. CVE-2016-8705 openSUSE Tumbleweed:memcached-1.4.33-1.1 openSUSE Tumbleweed:memcached-devel-1.4.33-1.1 critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8705.html CVE-2016-8705 https://bugzilla.suse.com/1007866 SUSE Bug 1007866 https://bugzilla.suse.com/1007870 SUSE Bug 1007870 https://bugzilla.suse.com/1056865 SUSE Bug 1056865 An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution. CVE-2016-8706 openSUSE Tumbleweed:memcached-1.4.33-1.1 openSUSE Tumbleweed:memcached-devel-1.4.33-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-8706.html CVE-2016-8706 https://bugzilla.suse.com/1007866 SUSE Bug 1007866 https://bugzilla.suse.com/1007869 SUSE Bug 1007869