Source: libmemcached Version: 1.1.3-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: fixed -1 1.1.4-1
Hi, The following vulnerability was published for libmemcached. It is fixed with the recent upload 1.1.4-1 to unstable already. But the fix should land in bookworm as well before bookworm release ideally. CVE-2023-27478[0]: | libmemcached-awesome is an open source C/C++ client library and tools | for the memcached server. `libmemcached` could return data for a | previously requested key, if that previous request timed out due to a | low `POLL_TIMEOUT`. This issue has been addressed in version 1.1.4. | Users are advised to upgrade. There are several ways to workaround or | lower the probability of this bug affecting a given deployment. 1: use | a reasonably high `POLL_TIMEOUT` setting, like the default. 2: use | separate libmemcached connections for unrelated data. 3: do not re-use | libmemcached connections in an unknown state. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-27478 https://www.cve.org/CVERecord?id=CVE-2023-27478 Regards, Salvatore