Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <27184e15-28ab-4017-997e-1e4c3f9bf63e@oracle.com>
Date: Sun, 24 May 2026 10:59:03 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: Memcached 1.6.42 is a "major security focused
 release" with CVE's TBD

On 5/19/26 10:14, Alan Coopersmith wrote:
> https://github.com/memcached/memcached/wiki/ReleaseNotes1642 reveals:
>> Similarly I have not created CVE's for any of these as that requires
>> understanding the severity of each bug. In most cases these submissions
>> vastly overstated the severity of the bug. I leave it up to the submitters
>> to request their own CVE's if they wish.

MITRE has issued two CVE's now:

CVE-2026-47783
--------------
In memcached before 1.6.42, username data for SASL password database
authentication has a timing side channel because a loop exits as soon
as a valid username is found by sasl_server_userdb_checkpass.

https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed

CVE-2026-47784
--------------
In memcached before 1.6.42, password data for SASL password database
authentication has a timing side channel because memcmp is used by
sasl_server_userdb_checkpass.

https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.