CVE-2009-2415

Name	CVE-2009-2415
Description	Multiple integer overflows in memcached 1.1.12 and 1.2.2 allow remote attackers to execute arbitrary code via vectors involving length attributes that trigger heap-based buffer overflows.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1853-1
Debian Bugs	540379, 540381

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
memcached (PTS)	buster	1.5.6-1.1	fixed
	buster (security)	1.5.6-1.1+deb10u1	fixed
	bullseye	1.6.9+dfsg-1	fixed
	bookworm	1.6.18-1	fixed
	trixie	1.6.23-1	fixed
	sid	1.6.26-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
memcached	source	etch	1.1.12-1+etch1		DSA-1853-1
memcached	source	lenny	1.2.2-1+lenny1		DSA-1853-1
memcached	source	(unstable)	1.4.1-1	medium		540379
memcachedb	source	(unstable)	1.2.0-5	medium		540381

Notes

the impact varies, on etch this runs as root and is not bound
to the loopback interface by default, memcached is even distributed
but fortunately not in a stable release.