Bug 581113 (CVE-2010-1152)

Summary: CVE-2010-1152 memcached (v1.2.8): Remote denial of service (excessive memory use, hang / crash)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, lindner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://code.google.com/p/memcached/issues/detail?id=102
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-07 06:05:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2010-04-10 09:21:16 UTC 
A deficiency was found:
  [1] http://code.google.com/p/memcached/issues/detail?id=102

in the way memcached processed received TCP data. A remote
attacker could use this flaw to cause denial of service (excessive
use of memory, server hang or crash).

Upstream patches:
  [3] http://github.com/memcached/memcached/commit/75cc83685e103bc8ba380a57468c8f04413033f9
  [4] http://github.com/memcached/memcached/commit/d9cd01ede97f4145af9781d448c62a3318952719

References:
  [4] http://secunia.com/advisories/39306/
Comment 1 Jan Lieskovsky 2010-04-10 09:22:10 UTC 
This issue affects the versions of memcached package,
as shipped with Fedora release of 11.

Please fix.
Comment 2 Paul Lindner 2010-04-12 00:50:31 UTC 
I'm a bit busy at the moment, I won't be able to spin off a 1.4.5 release for F-11 for a little while.  That said this is a very minor issue as security issues go...
Comment 3 Paul Lindner 2012-02-07 06:05:19 UTC 
closed, 1.4.10 is latest release.