Your message dated Thu, 21 May 2026 20:34:19 +0000
with message-id <[email protected]>
and subject line Bug#1137214: fixed in memcached 1.6.42-1
has caused the Debian Bug report #1137214,
regarding memcached: CVE-2026-47783 CVE-2026-47784
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137214: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137214
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: memcached
Version: 1.6.41-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for memcached.
CVE-2026-47783[0]:
| In memcached before 1.6.42, username data for SASL password database
| authentication has a timing side channel because a loop exits as
| soon as a valid username is found by sasl_server_userdb_checkpass.
CVE-2026-47784[1]:
| In memcached before 1.6.42, password data for SASL password database
| authentication has a timing side channel because memcmp is used by
| sasl_server_userdb_checkpass.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-47783
https://www.cve.org/CVERecord?id=CVE-2026-47783
https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed
[1] https://security-tracker.debian.org/tracker/CVE-2026-47784
https://www.cve.org/CVERecord?id=CVE-2026-47784
https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: memcached
Source-Version: 1.6.42-1
Done: Chris Lamb <[email protected]>
We believe that the bug you reported is fixed in the latest version of
memcached, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated memcached package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 21 May 2026 13:14:29 -0700
Source: memcached
Built-For-Profiles: nocheck
Architecture: source
Version: 1.6.42-1
Distribution: unstable
Urgency: high
Maintainer: Chris Lamb <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Closes: 1137214
Changes:
memcached (1.6.42-1) unstable; urgency=high
.
* New upstream release. (Closes: #1137214)
<https://github.com/memcached/memcached/wiki/ReleaseNotes1642>
.
- CVE-2026-47783: Username data for SASL password database authentication
had a timing side-channel vulnerability, because a loop exits as soon as
a valid username is found by the sasl_server_userdb_checkpass method.
.
- CVE-2026-47784: Password data for SASL password database authentication
had a timing side-channel attack, because memcmp is used by the
sasl_server_userdb_checkpass method.
.
* Bump Standards-Version to 4.7.4.
Checksums-Sha1:
80c515e405c3a0d649a0703a31e84a3b480207d0 2033 memcached_1.6.42-1.dsc
4a8a77833f332c6996bb9c5957b0dadcc1fbbede 924556 memcached_1.6.42.orig.tar.xz
8babf0d06ae3d7e0e0e1ca963a85f52a0735188d 18036 memcached_1.6.42-1.debian.tar.xz
c40155e4d1fad2986529bd6bf2be84df34b66a55 6807
memcached_1.6.42-1_amd64.buildinfo
Checksums-Sha256:
af228607f8d2ba16d1dfa25c7fb7ce3a50a59d5c859f099cf024ff2fd4545cf6 2033
memcached_1.6.42-1.dsc
c3d6231540483f93640faafac3ac145dc35331344320a3f7c13d738971f96f62 924556
memcached_1.6.42.orig.tar.xz
c413f109c6eebbee06b0df1d50aac6abb2e2397febfb81d08ab8d77c9dfd4a4e 18036
memcached_1.6.42-1.debian.tar.xz
bb1ce947fe5399a08c2706def3e427c05436514f1f62758ba468bdf08bfa61a6 6807
memcached_1.6.42-1_amd64.buildinfo
Files:
256e694dbe844b35dc01e1c8587c827f 2033 web optional memcached_1.6.42-1.dsc
814a2e322cffec5df3db52858a43f3ce 924556 web optional
memcached_1.6.42.orig.tar.xz
170b55bbb542aabc39f8e882b1bf613b 18036 web optional
memcached_1.6.42-1.debian.tar.xz
91200506ec2df45703f0857c65c5415b 6807 web optional
memcached_1.6.42-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmoPaFUACgkQHpU+J9Qx
Hlh1Sw/9GrUxY6NhCG9p/tJDGAn3mHhWBUHvrnCPO9+C97fdD4wnN49tHrPn1QQk
n1gIGL2yBUnQSvfRptv4rNffdfVMiHZ4VEFVseoMapS2SqXRCPpLWQMMLWPIOOCi
87HwNo1li3KnA4AjZh2kc8yXggoI5NHw57VJbI952UMUMBLjwmZrSMtrWkRda10J
vmhGeldUEDFVRxAjHzVhwxm6+1wjxkeZdpehC2nZvgn/tPA2ystGYnttZ4aVmEPt
BNIVZdvdBX9fHCyyy2WE/Sp6AY2Z850srdrQaOC6r8hYgVRnRfWrm2HNenipmBpv
+AxGW8suomWQsCbid7AYQPUNJA8/Mua5aTq36ovBXfrCTXrCV2ynMlLW0pv6I60w
ONrNClvf6cAspbWu9QLPfUbxwD5rKujsX9knoEXdkhjZZ1WsfpVkl9eO1CtNhi/H
iMOf2AvTte1X+Nyab4zPx5o+R6qsqZujWRiN07EkadH40w18SVIhT/6D0LZSCRao
SwMIPz84cyrONzZKhAZHqtLfPRQQufT4TnyMsuTqWhqkdWrj8hu5VKYhihOLPTcJ
tmwt6kz7bA+8hx9xczgdG83YgjuGlC8S9/KPPxsG8f7R4DfpmRSzvUDQko+dr13e
+rQ1xWpyYaM1MJWlVasFJtqS8gk7xfd6gogEwWb2+boJgOVJHOs=
=RAuL
-----END PGP SIGNATURE-----
pgpCRuUPahcDT.pgp
Description: PGP signature
--- End Message ---
