SUSE Security Update: Security update for memcached ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0778-1 Rating: important References: #1007869 #1007870 #1007871 #1056865 #798458 #817781 #857188 #858676 #858677 Cross-References: CVE-2011-4971 CVE-2013-0179 CVE-2013-7239 CVE-2013-7290 CVE-2013-7291 CVE-2016-8704 CVE-2016-8705 CVE-2016-8706 CVE-2017-9951 Affected Products: SUSE OpenStack Cloud 7 SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for memcached fixes the following issues: Security issues fixed: - CVE-2011-4971: remote DoS (bsc#817781). - CVE-2013-0179: DoS when printing out keys to be deleted in verbose mode (bsc#798458). - CVE-2013-7239: SASL authentication allows wrong credentials to access memcache (bsc#857188). - CVE-2013-7290: remote DoS (segmentation fault) via a request to delete a key (bsc#858677). - CVE-2013-7291: remote DoS (crash) via a request that triggers "unbounded key print" (bsc#858676). - CVE-2016-8704: Server append/prepend remote code execution (bsc#1007871). - CVE-2016-8705: Server update remote code execution (bsc#1007870). - CVE-2016-8706: Server ASL authentication remote code execution (bsc#1007869). - CVE-2017-9951: Heap-based buffer over-read in try_read_command function (incomplete fix for CVE-2016-8705) (bsc#1056865). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-529=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-529=1 Package List: - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): memcached-1.4.39-3.3.2 memcached-debuginfo-1.4.39-3.3.2 memcached-debugsource-1.4.39-3.3.2 - SUSE Enterprise Storage 4 (aarch64 x86_64): memcached-1.4.39-3.3.2 memcached-debuginfo-1.4.39-3.3.2 memcached-debugsource-1.4.39-3.3.2 References: https://www.suse.com/security/cve/CVE-2011-4971.html https://www.suse.com/security/cve/CVE-2013-0179.html https://www.suse.com/security/cve/CVE-2013-7239.html https://www.suse.com/security/cve/CVE-2013-7290.html https://www.suse.com/security/cve/CVE-2013-7291.html https://www.suse.com/security/cve/CVE-2016-8704.html https://www.suse.com/security/cve/CVE-2016-8705.html https://www.suse.com/security/cve/CVE-2016-8706.html https://www.suse.com/security/cve/CVE-2017-9951.html https://bugzilla.suse.com/1007869 https://bugzilla.suse.com/1007870 https://bugzilla.suse.com/1007871 https://bugzilla.suse.com/1056865 https://bugzilla.suse.com/798458 https://bugzilla.suse.com/817781 https://bugzilla.suse.com/857188 https://bugzilla.suse.com/858676 https://bugzilla.suse.com/858677 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org