CVE-2009-1494

Name	CVE-2009-1494
Description	The process_stat function in Memcached 1.2.8 discloses memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain potentially sensitive information by sending this command to the daemon's TCP port.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	526554

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
memcached (PTS)	buster	1.5.6-1.1	fixed
	buster (security)	1.5.6-1.1+deb10u1	fixed
	bullseye	1.6.9+dfsg-1	fixed
	bookworm	1.6.18-1	fixed
	trixie	1.6.23-1	fixed
	sid	1.6.26-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
memcached	source	etch	(not affected)
memcached	source	lenny	(not affected)
memcached	source	(unstable)	1.2.8-1	low	526554

[lenny] - memcached <not-affected> (Affected compile-time options not set)
[etch] - memcached <not-affected> (Affected compile-time options not set)