Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-31484, CVE-2023-2953, CVE-2023-50387 #1133

Closed
MMull-igan opened this issue May 10, 2024 · 3 comments
Closed

CVE-2023-31484, CVE-2023-2953, CVE-2023-50387 #1133

MMull-igan opened this issue May 10, 2024 · 3 comments

Comments

@MMull-igan
Copy link

Hello,

We are using memcached:1.6.26 and a recent security scan has picked up the following:

CVE-2023-31484

  • CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
  • Scanner found in memcached package: "perl" version 5.36.0
  • CPAN.pm was upgraded to version 2.36 in perl version 5.39.0

CVE-2023-2953

  • A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.
  • Scanner found in memcached package: "openldap" version 2.5.13
  • Seems as if this issue was fixed in this bug report

CVE-2023-50387

  • Certain DNSSEC aspects of the DNS protocol (in RFC 4035 and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses when there is a zone with many DNSKEY and RRSIG records, aka the "KeyTrap" issue. The protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
  • Scanner found in memcached package: "systemd" version 252.22-1
  • This vulnerability was resolved in later versions listed here

Would it be possible to update these package versions in order to remove the vulnerabilities?

Thank you
@dormando
Copy link
Member

Hi. I have no idea what memcached:1.6.26 is - where are you getting this and what is it? Docker maybe? The docker image should have contact info about the actual maintainers. We don't provide any prebuilt images here.

@MMull-igan
Copy link
Author

MMull-igan commented May 15, 2024
edited

Hi. I have no idea what memcached:1.6.26 is - where are you getting this and what is it? Docker maybe? The docker image should have contact info about the actual maintainers. We don't provide any prebuilt images here.

We are pulling the memcached docker image from this bitnami repo here. Does this not just pull the release tags from this github repository, to where memcached:1.6.26 in bitnami is the same as the github release tag 1.6.26? I have also raised an issue with the bitnami maintainers, but in previous posts about CVEs they have advised that the vulnerabilities would be handled by the upstream project.

Thank you

@dormando
Copy link
Member

This repo is just the source code to the memcached binary. all of the CVE's you listed are for OS dependencies, which aren't connected to memcached at all. that's all an artifact of whomever built the image.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dormando @MMull-igan