Memcached was found to be affected by a SASL authentication bypass glitch. The issue was that if the attacker makes an invalid request with SASL credentials, it will initially fail. However if he issue a second request with bad SASL credentials, it will authenticate. This way, an attacker can get access to memcache even with wrong SASL credentials. References: http://seclists.org/oss-sec/2013/q4/565 https://code.google.com/p/memcached/issues/detail?id=316 https://code.google.com/p/memcached/wiki/ReleaseNotes1417 Commit: https://github.com/memcached/memcached/commit/87c1cf0f20be20608d3becf854e9cf0910f4ad32
Created memcached tracking bugs for this issue: Affects: fedora-all [bug 1047300] Affects: epel-5 [bug 1047302]
Statement: Not Vulnerable. This issue does not affect the version of memcached package as shipped with Red Hat Enterprise Linux 5 and 6, since its not compiled with SASL support.
Please note that none of the EPEL, RHEL or Fedora memcached packages are affected by this bug as they are not compiled with SASL support.