CVE-2023-27478

NameCVE-2023-27478
Descriptionlibmemcached-awesome is an open source C/C++ client library and tools for the memcached server. `libmemcached` could return data for a previously requested key, if that previous request timed out due to a low `POLL_TIMEOUT`. This issue has been addressed in version 1.1.4. Users are advised to upgrade. There are several ways to workaround or lower the probability of this bug affecting a given deployment. 1: use a reasonably high `POLL_TIMEOUT` setting, like the default. 2: use separate libmemcached connections for unrelated data. 3: do not re-use libmemcached connections in an unknown state.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1032479

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libmemcached (PTS)buster, bullseye1.0.18-4.2fixed
trixie, bookworm1.1.4-1fixed
sid1.1.4-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libmemcachedsourcebuster(not affected)
libmemcachedsourcebullseye(not affected)
libmemcachedsource(unstable)1.1.4-11032479

Notes

[bullseye] - libmemcached <not-affected> (Vulnerable code introduced later)
[buster] - libmemcached <not-affected> (Vulnerable code introduced later)
Introduced with: https://github.com/awesomized/libmemcached/commit/d7a0084bf99d618d1dc26a54fd413db7ae8b8e63 (1.1.0-beta1)
Fixed by: https://github.com/awesomized/libmemcached/commit/48dcc61a4919f6f3d5ee164630a843f2d8b8ade9 (1.1.4)
Search for package or bug name: Reporting problems