Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20131230071725.GA8278@eldamar.local>
Date: Mon, 30 Dec 2013 08:17:26 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE Request: SASL authentication allows wrong credentials to access
 memcache

Hi

>From upstream release notes for 1.4.17[1] it states "The other notable
bug is a SASL authentication bypass glitch. If a client makes an
invalid request with SASL credentials, it will initially fail. However
if you issue a second request with bad SASL credentials, it will
authenticate. This has now been fixed.".

The upstream bugreport is at [2], with the corresponding commit fixing
this issue at [3].

 [1] https://code.google.com/p/memcached/wiki/ReleaseNotes1417
 [2] https://code.google.com/p/memcached/issues/detail?id=316
 [3] https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32

Could a CVE be assigned to this issue?

Regards, and thanks in advance

Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.