Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <c4f7f03e-194d-4a1a-9c9a-5f8a791e5051@oracle.com>
Date: Tue, 19 May 2026 10:14:00 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Memcached 1.6.42 is a "major security focused release"
 with CVE's TBD

https://github.com/memcached/memcached/wiki/ReleaseNotes1642 reveals:
> Memcached 1.6.42 Release Notes
> 
> Date: 2026-5-18
> 
> Download
> --------
> http://www.memcached.org/files/memcached-1.6.42.tar.gz
> 
> Overview
> --------
> This is a major security focused release. Nearly all of the fixes are security
> related for issues that can cause memory corruption, crashes, and so on.
> 
> If you submitted a security report that ended up being value, you are credited
> in the commit history.
> 
> If you submitted a security report and do not see it here, it was either not a
> security bug or I missed it.
> 
> Due to the very high volume of security reports in this round I did not give
> them the individual scrutiny that I typically do: if there was a clear bug, it
> was fixed, but no effort was made to validate the potential impact of the bug.
> 
> Most of the these bugs look extremely obscure, and are impossible to trigger
> without convoluted configurations. This does not apply to all of the bugs:
> if memcached can be accessed easily by an attacker it can be crashed.
> 
> Similarly I have not created CVE's for any of these as that requires
> understanding the severity of each bug. In most cases these submissions
> vastly overstated the severity of the bug. I leave it up to the submitters
> to request their own CVE's if they wish.
> 
> Upgrading is strongly advised, regardless. Thanks to everyone who submitted
> reports and for your patience in allowing me to collect the fixes all at once.
> 
> Fixes
> -----
>   - vendor: Instructively warn if vendor blob missing
>   - proxy: fix write length in extstore miss
>   - Fix timing side-channel in SASL password database authentication
>   - proto: fix signed overflow in bodylen for binprot
>   - proxy: fix underflow with 0 length values
>   - auth: fix data race during reload
>   - auth: fix crash when given huge token
>   - proto: fix crash in binary protocol
>   - core: fix crashes from slabs reassign
>   - proxy: check result of buffer parse in match_res
>   - proxy: fix memory underread when nulling requests
>   - update data block protocol description to no longer reference obsolete S flag
> 
> New Features
> ------------
> None.
> 
> Contributors
> ------------
> The following people contributed to this release since 1.6.41.
> 
> Note that this is based on who contributed changes, not how they were done.
> In many cases, a code snippet on the mailing list or a bug report ended up
> as a commit with your name on it.
> 
> Note that this is just a summary of how many changes each person made which
> doesn't necessarily reflect how significant each change was. For details on
> what led up into a branch, either grab the git repo and look at the output
> of git log 1.6.41..1.6.42 or use a web view.
> 
>   - Repo list: https://github.com/memcached/memcached/wiki/DevelopmentRepos
>   - Web View: http://github.com/memcached/memcached/commits/1.6.42
> 
>      8	dormando
>      2	Bujna, Igor
>      1	Alec Stewart
>      1	Sarthak Munshi

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.