Source: memcached Version: 1.6.41-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for memcached. CVE-2026-47783[0]: | In memcached before 1.6.42, username data for SASL password database | authentication has a timing side channel because a loop exits as | soon as a valid username is found by sasl_server_userdb_checkpass. CVE-2026-47784[1]: | In memcached before 1.6.42, password data for SASL password database | authentication has a timing side channel because memcmp is used by | sasl_server_userdb_checkpass. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-47783 https://www.cve.org/CVERecord?id=CVE-2026-47783 https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed [1] https://security-tracker.debian.org/tracker/CVE-2026-47784 https://www.cve.org/CVERecord?id=CVE-2026-47784 https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed Please adjust the affected versions in the BTS as needed. Regards, Salvatore
