CVE-2009-1255
Published: 30 April 2009
The process_stat function in (1) Memcached before 1.2.8 and (2) MemcacheDB 1.2.0 discloses (a) the contents of /proc/self/maps in response to a stats maps command and (b) memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain sensitive information such as the locations of memory regions, and defeat ASLR protection, by sending a command to the daemon's TCP port.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
memcached Launchpad, Ubuntu, Debian |
dapper |
Ignored
(reached end-of-life)
|
| hardy |
Ignored
(reached end-of-life)
|
|
| intrepid |
Needs triage
(reached end-of-life)
|
|
| jaunty |
Ignored
(reached end-of-life)
|
|
| karmic |
Not vulnerable
(1.2.8-1)
|
|
| lucid |
Not vulnerable
|
|
| maverick |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| upstream |
Released
(1.2.8-1)
|
|
|
memcachedb Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| jaunty |
Ignored
(reached end-of-life)
|
|
| karmic |
Not vulnerable
(1.2.0-5)
|
|
| lucid |
Not vulnerable
|
|
| maverick |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| upstream |
Released
(1.2.0-3)
|