Bug 13264

Summary:	[CVE 21] libmemcached 1.0.18 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	RESOLVED WONTFIX	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	normal
Priority:	Normal	CC:	a.proklov, m.novosyolov, s.matveev, y.tumanov
Version:	All	Flags:	y.tumanov: secteam_verified+
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	CVE-2023-27478,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Yury 2023-05-03 13:58:10 MSK

Please patch CVEs for package libmemcached version 1.0.18  
INFO (CVEs are): libmemcached 1.0.18 cves found
CVE-2023-27478
Desc: libmemcached-awesome is an open source C/C++ client library and tools for the memcached server. `libmemcached` could return data for a previously requested key, if that previous request timed out due to a low `POLL_TIMEOUT`. This issue has been addressed in version 1.1.4. Users are advised to upgrade. There are several ways to workaround or lower the probability of this bug affecting a given deployment. 1: use a reasonably high `POLL_TIMEOUT` setting, like the default. 2: use separate libmemcached connections for unrelated data. 3: do not re-use libmemcached connections in an unknown state.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-27478
Severity: MEDIUM

Comment 1 Svyatoslav Matveev 2023-05-04 11:18:48 MSK

Уязвимый код обнаружен с версии 1.1.0.
Наша версия не поддвержена этой уязвимостью.

Comment 2 Yury 2023-07-25 13:17:03 MSK

Known Affected Software Configurations Switch to CPE 2.2
Configuration 1 ( hide )
  cpe:2.3:a:awesome:libmemcached:*:*:*:*:*:*:*:*
   Show Matching CPE(s)	From (including)
1.0.18	Up to (excluding)
1.1.4

https://nvd.nist.gov/vuln/detail/CVE-2023-27478

На НВД написано не так

Comment 3 Aleksandr Proklov 2023-10-19 12:00:41 MSK

Ну нету там такого кода чтоб запатчить, нету!

Comment 4 Yury 2023-10-19 12:21:21 MSK

secteam_verified